Reputation: 466
Not able to SignOut using Saml2 from Sustainsys
This should be redirecting my app to my AdFs signOut Page, and then redirect me back to my app. However, it simply redirects me to my route "/logout". Watching the log on my ADFS server nothing happens.
[AllowAnonymous]
[HttpGet]
[Route("api/logout")]
public async Task<IActionResult> Logout()
{
return SignOut(new AuthenticationProperties()
{
RedirectUri = "/logout"
},
Saml2Defaults.Scheme);
}
SignIn works fine. I even tried this same approach, but does not work. Here, the ReturnUrl method gets the location from HttpContext.Response.Header. When I try this for the logout, the location is always null.
[AllowAnonymous]
[HttpGet]
[Route("api/login")]
public async Task<string> LoginAdfs()
{
string redirectUri = _appSettings.Saml.SpEntityId;
await HttpContext.ChallengeAsync(new AuthenticationProperties
{
RedirectUri = string.Concat(redirectUri, "/autenticado")
});
return ReturnUrl();
}
Any idea what could be happening?
UPDATE 21/11/2019
Turns out the Saml2Handler is simply not trying to send the request to the server. I'm getting these messages on my output window:
Sustainsys.Saml2.AspNetCore2.Saml2Handler: Debug: Initiating logout, checking requirements for federated logout
Issuer of LogoutNameIdentifier claim (should be Idp entity id):
Issuer is a known Idp: False
Session index claim (should have a value):
Idp has SingleLogoutServiceUrl:
There is a signingCertificate in SPOptions: True
Idp configured to DisableOutboundLogoutRequests (should be false):
Sustainsys.Saml2.AspNetCore2.Saml2Handler: Information: Federated logout not possible, redirecting to post-logout
Here is my StartUp Configuration, I don't get what is wrong here:
ServiceCertificate se = new ServiceCertificate()
{
Certificate = new X509Certificate2(SpCert, "",X509KeyStorageFlags.MachineKeySet),
Use = CertificateUse.Signing
};
SPOptions sp = new SPOptions
{
AuthenticateRequestSigningBehavior = SigningBehavior.Never,
EntityId = new EntityId(SpEntityId),
ReturnUrl = new Uri("/login"),
NameIdPolicy = new Sustainsys.Saml2.Saml2P.Saml2NameIdPolicy(null, Sustainsys.Saml2.Saml2P.NameIdFormat.Unspecified),
};
sp.ServiceCertificates.Add(se);
IdentityProvider idp = new IdentityProvider(new EntityId(appSettings.Saml.EntityId), sp);
idp.Binding = Saml2BindingType.HttpPost;
idp.AllowUnsolicitedAuthnResponse = true;
//idp.WantAuthnRequestsSigned = true;
idp.SingleSignOnServiceUrl = new Uri("/login");
//idp.LoadMetadata = true;
idp.SigningKeys.AddConfiguredKey(new X509Certificate2(IdpCert));
idp.MetadataLocation = theMetadata;
idp.DisableOutboundLogoutRequests = true;
Upvotes: 2
Views: 5389
Answers (4)
Reputation: 21
After strugling with this for quite some time, here is the code implementing the logout functionality as an extension to the Saml2WebAPIAndAngularSpaExample (see https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample).
Startup.cs
builder.Services.AddAuthentication(o =>
{
o.DefaultScheme = ApplicationSamlConstants.Application;
o.DefaultSignInScheme = ApplicationSamlConstants.External;
o.DefaultAuthenticateScheme = ApplicationSamlConstants.Application; //needed for logout
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ClockSkew = TimeSpan.FromMinutes(Convert.ToDouble(builder.Configuration["Jwt:ExpireInMinutes"])),
ValidIssuer = builder.Configuration["Jwt:Issuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"])),
};
})
.AddCookie(ApplicationSamlConstants.Application)
.AddCookie(ApplicationSamlConstants.External)
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId(builder.Configuration["Saml:SPEntityId"]);
var idp = new IdentityProvider(new EntityId(builder.Configuration["Saml:IDPEntityId"]), options.SPOptions)
{
Binding = Saml2BindingType.HttpPost,
SingleSignOnServiceUrl = new Uri(builder.Configuration["Saml:IDPSingleSignOnServiceUrl"]),
SingleLogoutServiceBinding = Saml2BindingType.HttpRedirect,
SingleLogoutServiceUrl = new Uri(builder.Configuration["Saml:IDPSingleLogoutServiceUrl"]),
AllowUnsolicitedAuthnResponse = true,
DisableOutboundLogoutRequests = false,
//LoadMetadata = false
};
idp.SigningKeys.AddConfiguredKey(new X509Certificate2(builder.Configuration["Saml:IDPCertificateFileName"]));
options.IdentityProviders.Add(idp);
options.SPOptions.ServiceCertificates.Add(new X509Certificate2(builder.Configuration["Saml:SPCertificateFileName"]));
});
DefaultAuthenticateSchemeneeds to be set to theApplicationSamlConstants.Applicationscheme in order for the logout to work. TheAuthorizeattribute in the controller needs selecting the schemeJwtBearerDefaults.AuthenticationSchemeexplicitly - see below.Sustainsys.Saml2parametersSingleLogoutServiceBinding,SingleLogoutServiceUrlandDisableOutboundLogoutRequestsneed to be set.
SamlController.cs
[AllowAnonymous]
[HttpGet("InitiateSingleSignOn")]
public IActionResult InitiateSingleSignOn(string returnUrl)
{
// challenge the user to sign in using SAML
return new ChallengeResult(
Saml2Defaults.Scheme,
new AuthenticationProperties
{
RedirectUri = Url.Action(nameof(LoginCallback), new { returnUrl })
});
}
[AllowAnonymous]
[HttpGet("Callback")]
public async Task<IActionResult> LoginCallback(string returnUrl)
{
// authenticate and sign in
// (see https://stackoverflow.com/questions/53654020/how-to-implement-google-login-in-net-core-without-an-entityframework-provider for details)
var authenticateResult = await HttpContext.AuthenticateAsync(ApplicationSamlConstants.External);
if (!authenticateResult.Succeeded)
{
return Unauthorized();
}
var claimsIdentity = new ClaimsIdentity(ApplicationSamlConstants.Application);
claimsIdentity.AddClaim(authenticateResult.Principal.FindFirst(ClaimTypes.NameIdentifier));
claimsIdentity.AddClaim(authenticateResult.Principal.FindFirst("http://Sustainsys.se/Saml2/LogoutNameIdentifier"));
claimsIdentity.AddClaim(authenticateResult.Principal.FindFirst("http://Sustainsys.se/Saml2/SessionIndex"));
await HttpContext.SignInAsync(
ApplicationSamlConstants.Application,
new ClaimsPrincipal(claimsIdentity));
// issue JWT token
var token = this.CreateJwtSecurityToken(authenticateResult);
HttpContext.Session.SetString("JWT", new JwtSecurityTokenHandler().WriteToken(token));
// redirect to the page that caused our first challenge
if (!string.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
return this.Ok();
}
[AllowAnonymous]
[HttpGet("InitiateSingleLogout")]
public IActionResult InitiateSingleLogout(string returnUrl)
{
HttpContext.Session.SetString("JWT", "");
return SignOut(
new AuthenticationProperties()
{
RedirectUri = Url.Action(nameof(LogoutCallback), new { returnUrl })
},
ApplicationSamlConstants.External,
ApplicationSamlConstants.Application,
Saml2Defaults.Scheme
);
}
[AllowAnonymous]
[HttpGet("LogoutCallback")]
public IActionResult LogoutCallback(string returnUrl)
{
if (!string.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
return this.Ok();
}
- The
SignInAsynclogic inLoginCallbackis crucial for the logout to work. The two specific claims need to be present in theClaimPrincipal(see https://stackoverflow.com/a/59107708/5956120). Then sign in theClaimPrincipalusing theApplicationSamlConstants.Applicationscheme. - The sign in logic is taken from: how to implement google login in .net core without an entityframework provider
AuthorizationController.cs
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[HttpGet("TestAuthorization")]
public ActionResult TestAuthorization()
{
return this.Ok("Congratulations, you are authorized.");
}
- In order for the authentication schemes to be able to coexist, when using the
[Authorize]attribute, the scheme needs to be explicitly selected. For details see: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-6.0.
Upvotes: 0
Reputation: 9789
From my own experience, the two claims, as mentioned by Anders Abel, should be present on the user. I had not seen these claims until I passed all of the claims along with the sign-in request. ASP.NET Core recreates the principal on SignInAsync and needs claims to be passed in with the request.
With the following, I am able to fulfill a SingleLogout with my service:
await HttpContext.SignInAsync(user.SubjectId, user.Username, props, user.Claims.ToArray());
Upvotes: 1
Reputation: 69280
For the logout to work, two special claims "LogoutNameIdentifier" and "SessionIndex" (full names are http://Sustainsys.se/Saml2/LogoutNameIdentifier and http://Sustainsys.se/Saml2/SessionIndex need to be present on the user. Those carries information about the current session that the Saml2 library needs to be able to do a logout.
Now I don't see your entire Startup, so I cannot understand your application's flow. But those claims should be present in the identity returned by the library - possibly stored in an External cookie (if you are using asp.net identity). When your application then sets the application cookie those two claims must be carried over to the session identity.
Also you have actually disabled outbound logout with DisableOutboundLogoutRequests. But that's not the main problem here as your logs indicates that the required claims are not present.
Upvotes: 5
Related Questions
- Issue logging out non-SAML authenticated user when sustainsys OWIN middleware enabled
- Cannot Logout from IdentityServer 4 through Azure SAML logout request
- SAML 2.0 Logout SP initiated using ITfoxtec.Identity.Saml2
- SAML Single Logout using Sustainsys and Azure giving Message is invalid error
- Sustainsys.Saml2 logout not working if .pfx file not configured in service collection
- IdP Initiated Login with Sustainsys.SAML2 - AuthenticateResult Has No Information
- Sustainsys Saml2 Handler AuthenticateAsync() method operation is not implemented
- Sustainsys.Saml2 SLO Logout RequestDenied status error
- Kentor/Sustainsys redirects back to SP after receiving LogoutResponse from IDP
- Saml2 Single Logout (SingleLogoutServiceResponseUrl) with Sustainsys and Identity Server 4