search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
945 stars 605 forks source link

Asp.net Core Logout implementation help #1384

Closed XenHuang closed 1 year ago

XenHuang commented 1 year ago

Hi I recently added SAML sign on to my .net core application using Azure AD. It's working good. I have a "SAML" button redirect user to a Microsoft login page, and users are able to log in. However, I don't know if the log out is working correctly. Here is the issue:

  1. In a clean cookie state, user goes to my web application and click "SAML" button tp sign in externally using SAML service, then it redirects to Microsoft log in page, user enters credential and log in successfully.
  2. Redirect back to my Web application.
  3. User clicks logout button, redirect back to the log in page. It seems like my web application successfully logged out.
  4. However, when the user click the "SAML" button to log in again, the website redirect to Microsoft log in page and automatically logs in without the need to enter Microsoft user credentials. Is this normal? Should it ask the user to enter the Microsoft user credentials again since they logged out? If so, how do I implement this? I have tried two approaches from other 2 issues, but none of them makes the user to enter Microsoft user credentials again after logging out.

I am using Asp.net core default template and SigninManager,

` // Logout public async Task OnPost(string returnUrl = null) {

        // Approach 1
        //return SignOut(new AuthenticationProperties() { RedirectUri = returnUrl }, CookieAuthenticationDefaults.AuthenticationScheme, Saml2Defaults.Scheme);

        // Approach 2
        //var authProps = new AuthenticationProperties
        //{
        //    RedirectUri = Url.Action(nameof(Index), "Home", values: null, protocol: Request.Scheme)
        //};
        //AddAuthenticationPropertiesClaim(authProps, "/SessionIndex");
        //AddAuthenticationPropertiesClaim(authProps, "/LogoutNameIdentifier");
        //SignOut(authProps, CookieAuthenticationDefaults.AuthenticationScheme, Sustainsys.Saml2.AspNetCore2.Saml2Defaults.Scheme);

        // Original Code
        await _signInManager.SignOutAsync();
        _logger.LogInformation("User logged out.");
        if (returnUrl != null)
        {
            return LocalRedirect(returnUrl);
        }
        else
        {
            return RedirectToPage();
        }
    }

`

AndersAbel commented 1 year ago

To get working logout you need to both logout of your local application and the upstream Azure AD provider. If you don't, you will get the behaviour you are seeing: The user is logged out of your application, but automatically single signed on from the Azure AD session.

To enable the Saml2 single logout support you need to configure a service certificate in your application, as the single logout messages have to be signed. There is also a log entry written on logout which is details all the requirements to be able to do a federated logout and which of them are fulfilled.