search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
945 stars 605 forks source link

request.User claims not found during Logout #1380

Closed Siphonophora closed 1 year ago

Siphonophora commented 1 year ago

@AndersAbel

I am using Sustainsys.Saml2.AspNetCore2 Version="2.9.0" in a .net 6 blazor app.

Registration This is a minimized example with the same behavior. I know the cert will be needed for federated logout.

        var oktaConfig = new OktaOptions();
        configuration.Bind("Okta", oktaConfig);

        services
            .AddAuthentication("Identity.Application")
            .AddCookie("Identity.Application")
            .AddSaml2(Saml2Defaults.Scheme, options =>
            {
                options.SPOptions.Logger = new SerilogAdapter();
                options.SPOptions.EntityId = new EntityId(oktaConfig.SiteUrl);
                options.SPOptions.ReturnUrl = new Uri(AddTrailingSlashIfNeeded(oktaConfig.SiteUrl) + "AppDirectory");

                options.IdentityProviders.Add(
                new IdentityProvider(
                    new EntityId(oktaConfig.EntityId), options.SPOptions)
                {
                    MetadataLocation = oktaConfig.OktaMetadataUrl,
                });
            });

In the app, and on razor pages I have access to all the claims. 

        <table class="table table-bordered table-sm">
            <tr>
                <th>Claim Type</th><th>Value</th><th>Issuer</th><th>ValueType</th>
            </tr>
            @foreach (var claim in context.User.Claims)
            {
                <tr>
                    <td>@claim.Type</td><td>@claim.Value</td><td>@claim.Issuer</td><td>@claim.ValueType</td>
                </tr>
            }
        </table>

image

Users logout by clicking a link

<a href="Saml2/Logout">Log out</a>

Result:

[17:01:20 DBG] Initiating logout, checking requirements for federated logout
  Issuer of LogoutNameIdentifier claim (should be Idp entity id): 
  Issuer is a known Idp: False
  Session index claim (should have a value): 
  Idp has SingleLogoutServiceUrl: 
  There is a signingCertificate in SPOptions: False
  Idp configured to DisableOutboundLogoutRequests (should be false): 
[17:01:20 INF] Federated logout not possible, redirecting to post-logout and clearing local session

I assume either the request user is null or for some reason the cookie can't be read during logout, based on https://github.com/Sustainsys/Saml2/blob/v2/Sustainsys.Saml2/WebSSO/LogOutCommand.cs#L166-L170. This looks like the same issue as #1356 but the apparent resolution seems incomplete, or I just don't understand what it is supposed to do.

Siphonophora commented 1 year ago

See resolution on #1356