I am using WSFederationAuthenticationModule for authentication. When the user is not authenticated it redirects them to ADFS web agent accordingly. The ADFS cookie lasts longer than the app session, so sometimes they will just be looped right back into the application.
Pretty much every time this is what I want, the user tries to do something, it redirects them if the session is expired and they come back around (either after logging in again or after it finds the cookie to still be good) and then they can do what they want. However, if they are clicking 'logout' I want them to be logged out. But the Module is intercepting and sending them back around and then they have to click 'logout' again once the session is restored.
Logout is an MVC api controller action. I am not sure if I want to take it out from behind the security because it also triggers some clean-up things for the app (I realize this is also a problem because potentially if they never click logout those things won't happen but that is a different issue).
I feel like I must be missing something with WSFederationAuthenticationModule and ADFS... something just doesn't feel right about making the logout action an anonymous/public action. There must be some consideration for this in the intentions of WSFederationAuthenticationModule but I can't seem to pin it down.
As far as I understand Your authentication is kept via an Auth cookie. You should try adding the following in your app controller under your logout action:
FederatedAuthentication.SessionAuthenticationModule.SignOut();
return View("LogOut");
This will log them out. Now if the "LogOut" view cannot be accessed by an unauthenticated person it will redirect back to your login page for login.
One more thing, if what you mean above is that after the session expiration when someone tries to access the logout page (although their session is anyhow expired already) they are first redirected to the login module to authenticate (since they need to be authenticated for access to the logout page), huh you could do something like this:
if (User.Identity.IsAuthenticated)
...u'r logout logic goes here together with other clean-up...
else
...u could choose to return a view which says he is already logged out
or on the login service side (if you control it) check where is the request coming from and take action accordingly.
Related
I'm using hosted screen of Auth0. I want the following scenario to work-
Let's say I have 2 apps- app1 and app2.
One of the users signed in by providing email+password in app1.
User then navigated to app2.
Auth0 detected that the user has already signed in, so it redirects the user back to app2 WITHOUT having her signed in again.
But what I'm facing is this screen-
How can I save my user this additional click? How do I implement silent authentication? I know that you have to pass prompt=none to /authorize api, but since I'm not manually calling the api, how do I make the lock call /authorize with prompt=none?
What you want is silent SSO which is related to SSO but kind of independent.
The key is in the prompt param. This needs to be none in order for the user to not be prompted for login when he's already logged in Auth0's Authorization Server ("central SSO").
One annoying thing I found is that prompt is taken literally, so if the user is not logged in yet, he will not be prompted to login (you'd think it'd make sense to prompt the user when not logged right?).
In this case SSO will redirect to your app's /authorize with an error like "authentication required" and you'll have to handle it by redirecting the user to your /login endpoint again but passing prompt=true so that it knows that this time he'll have to pass prompt=true to Auth0's hosted login page.
To make things a bit uglier, currently passport-auth0-openidconnect seems to ignore the params you pass to the strategy unless you monkey patch one of the methods involved (I created a PR for it, don't when will be approved and/or if makes sense).
Essentially:
Pass prompt=none
If user is already logged in, he will silently be logged in your app as well
If user not logged in, user will be redirected to your app with "login required" error
In that case you'll have to pass prompt=true
I know it's a bit fiddly but I hope this helps you :)
PS: Another thing to bear in mind - I now just found out that it works perfectly when using Github as connection but when using google-oauth2 it blows up complain about the prompt param :|
Scenario:
I have two application to which login is done using pingfederate single sign service.
1.User try to login into first application but as user is unauthenticated user is redirected to login page of pingfederate (universal sign in page). User logs into the first application.
2.User try to login into second application as user was already authenticated by single sign service pingfederate provide application with necessary information(information required to set session) and user is redirected to second application.
Problem:
When User logout from first application then user gets logout successfully. At this point pingfederate knows about all open application and send then logout callback. So it sends logout request to second application. Second application handles the logout request and clears the session. But user stays on the same page. user is not redirected to the login page
Question:
How can be this be implemented that when we receive logout request redirect user to login page?
The way SLO is supposed to work for SP-Init SLO is:
You click logout at the FIRST SP application.
You are redirected to the IdP with a LogoutRequest.
The IdP then sends you, serially, to all the other SPs with
LogoutRequests. Every one of those must provide a SAMLResponse back
to the IdP with a status.
The IdP, after receiving the final status, must send the
user/browser back to the originating SP with a SAMLResponse with the
final status, which the SP acts upon.
In IdP-Init SLO, it's basically only step 3.
Here's the kicker, though, and I think gets to the heart of your question. If a single one of those SP's "misbehaves", i.e., does not respond to, or support, SLO (there is no requirement for them to support SLO), then it will break the "chain" of logouts, if you redirect to it! The IdP will redirect off to the SP, and the there the browser will stay. Once the chain has been broken, there is no way to get it started again.
I discussed this problem in my blog post "SLO - Proceed With Caution", a bit more than a year ago. Ultimately, with many of the big-name SP's out there not supporting SLO, there's not much of a reason to do it - it's just going to give you, as an SAML administrator, a black eye. Or heartburn. Or both.
I have page where are secured by session. In case session does exists, then navigate to login page. This works fine.
Now, Let's say I am at some page like abc.aspx. Session does not exists. System navigates to th login page. So, once login, can i navigate the user to the page which was originally requested ?
Usually it is performed by adding the requested URL as a query parameter to Login page URL http://fakehost/Login?retUrl=originalpage
so app code can redirect it back. Forms authentication mechanism does it for you.
yes you can however it would be recommended to add a ReturnUrl querystring which contains the page they came from or need to go to after they logged in. you can also use Request.UrlReferrer I believe which gives you the page they came from but means if for example they came from google to your site to login and you redirect, it would go back to google.
I'm using DotNetOpenAuth. I configured my application with Custom form authentication with Gmail OpenID through (DotNetOpenAuth). I can successfully login to my app. But say for eg. i logged out from application and click login (with in 10 to 15 Sec) its not redirecting to gmail login. It generated authentication token by itself without asked from user.(I hope something is cached OpenID)
I used PAPE
request.AddExtension(new PolicyRequest()
{
MaximumAuthenticationAge = TimeSpan.Zero
});
And also tried to configure in web.config.
<openid cacheDiscovery="false">
Is there any workaround for the same.
NOTE : Once i logged out i used to clear ALL Session and call FormAuthentication.SignOut()
With OpenID, you as the relying party cannot force the login policy for the user at their Provider. You can request that the provider relogin the user as you have with the PAPE extension, but the Provider may still ignore that.
The cacheDiscovery setting is irrelevant to pass-through login, so I suggest you remove that entry as it will simply slow down all logins.
I think you're mistaken when you say it's not redirecting to Google. If you look at the logs, or what your browser's URL bar, Google.com should be redirected to, but at that point Google decides the user has a login session and avoids prompting them to login again, and redirects the user immediately back to your site.
I'm using the Oauth redirect authorization method to provide authorization for a page tab iframe application.
The flow works like this:
User loads page tab (unauthorized)
User clicks authorize link
Authorization dialog takes over parent window
Accepted authorization redirects to my application to register user account using authorized email.
My application redirects back to the page tab
Loading the page tab causes authorization to be lost, and the user sees the authorize link again. Rinse, repeat, no success.
Confusingly, the application works completely if instead of redirecting to the Facebook Page Tab, I redirect to any path in my application (ie. the root, the user's page, etc.). Only by setting the redirect to the Facebook Page Tab URL does the user get "booted".
Even stranger, if I keep redirection limited to my application, but simply load the Facebook Page Tab, the authorization is killed everywhere. Meaning, post-facebook-page-load, refreshing the application off-Facebook will prompt the user to authorize again, and they are effectively "logged out" of my system.
I am using Rails 3.0.1 with Devise 1.4.2 for user accounts. The user authorization is passed to a Devise registration (I need to keep track of users in my app - a voting-based "contest" application). Devise uses the "Server side Flow" detailed here: http://developers.facebook.com/docs/authentication/
I'm lost as to what would be causing this. Facebook killing the auth cookie? Does this happen?
When you access the facebook tab page first time,signed_request is necessary:
#signed_request = oauth.parse_signed_request(params[:signed_request])
So you can send a parameter when redirect to it from other pages to check if it's the first time.