Comments (8)
You'd have to change how that signout work to use the IdentityServer logoutpage design. Perhaps look at how the OIDC end session code handles it now and replicate that (in a PR perhaps)?
from identityserver4.wsfederation.
@brockallen - to be sure I understand what you are suggesting.
Alter the WsFederationController.ProcessSignOut method to not redirect to "connect/endsession", but instead "move the code" from that into ProcessSignOut and replace the use of EndSessionRequestValidator with a new WsFederationSignoutRequestValidator?
Alternative - hack it with IdentityServerTools.IssueJwtAsync(3600, new List { new Claim(JwtClaimTypes.Audience, clientId) }) and send that as id_token_hint?
from identityserver4.wsfederation.
Hi @pi3k14
Did you complete this scenario?
from identityserver4.wsfederation.
@iyhammad for now we are using the "alternative" version.
Injecting IdentityServerTools into WsFederationController
and alter the ProcessSignOut method to include
var hint = await _tools.IssueJwtAsync(3600, new List<Claim> { new Claim(JwtClaimTypes.Audience, realm) }); url = Url.Action("endsession", "connect", new { id_token_hint = hint, post_logout_redirect_uri = reply });
In our case we get the realm from SignOutRequestMessage and does a validation against Request.Headers["Referer"], in addition there should be a check against _userSession.GetClientListAsync();
But we haven't drawn up a general solution (yet).
from identityserver4.wsfederation.
I tried this but I got these errors in the log
DEBUG 2018-08-01 11:17:18,339 [7 ] tityServer4.Endpoints.EndSessionEndpoint - Processing signout request for 2
DEBUG 2018-08-01 11:17:18,346 [7 ] r4.Validation.EndSessionRequestValidator - Start end session request validation
DEBUG 2018-08-01 11:17:18,353 [7 ] dentityServer4.Validation.TokenValidator - Start identity token validation
ERROR 2018-08-01 11:17:18,371 [7 ] dentityServer4.Validation.TokenValidator - No clientId supplied, can't find id in identity token.
INFO 2018-08-01 11:17:18,378 [7 ] r4.Validation.EndSessionRequestValidator - End session request validation failure: Error validating id token hint
{
"SubjectId": "unknown",
"Raw": {
"id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRDQThEMkJEQTMxOEIyN0IxNDVCRDAzMTY2NjQ5QUFBNkE1QTZFN0MiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJUS2pTdmFNWXNuc1VXOUF4Wm1TYXFtcGFibncifQ.eyJuYmYiOjE1MzMxMjIyMzgsImV4cCI6MTUzMzEyNTgzOCwiaXNzIjoiaHR0cDovL2tpdGRldnNwMjAxMzAxOjEyMzQ0IiwiSWRlbnRpdHlTZXJ2ZXIiOiJ1cm46c2hhcmVwb2ludCIsImNsaWVudGlkIjoidXJuOnNoYXJlcG9pbnQifQ.fm-A5jaHOI3YI29wlWSNo197Jcpdlf_71xp89edlka8CD_t3Jz10czJzeSMw2iMyZO5U-Lf_xOBM59q8k5S22vS9ww_BNW90_RrPL0O3fluG1kn_aOKxweWloK7Q5b3aqRGcWAnX0TE60m7CxMDXRrseGu9gUTg68PACK_r0ofXleUOLYxLXbdLCxg8ioSNSGkaZtGBQS8QAuisDMIbeB5q13BYl-B0-Lw1KYI8ABUZTGomwr59LpJUmW41TrG8WaXb8n1hzbBabttiLtRgnksyPiLsTyEyCgZQ9syyYAVc7l2THohBjrDWfET3gwqIuZu6i63Fh7bRSeJHIVLow48rRmtJrZTcGScmEPppjtMxefoSBsN3K6SCZ3U7jbIgkmDVGBWfDQkuG4Vfyk5q1LHNtqjLFf_JXsif88fWYxzOrtZIfzqGM2e48Jp4A4ijteWcirtdHZPyZ70vIaoybJxo0o9sACIuakB5Vnw10Rqk7ORRvk3J5AFv5bkKCooN9ZMVpNff9BnIAQwFlWkuDuFiQtUDpdZdUNzknRHuhsXELGJEI0luDuE17lpp-tulOFra8B_LGZU1gXdEp5IghW5X4vTCK9ek-4A--X1E48O9in4m0RtoPaY3MjDYGMbwtps6FkjmoZda_RqJUXKWRkJgEB_PTFFaxUX7ocJ30jEM",
"post_logout_redirect_uri": "http://kitdevsp201301"
}
}
ERROR 2018-08-01 11:17:18,380 [7 ] tityServer4.Endpoints.EndSessionEndpoint - Error processing end session request Invalid request
INFO 2018-08-01 11:17:18,386 [7 ] soft.AspNetCore.Hosting.Internal.WebHost - Request finished in 73.6363ms 302
and logoutId is not being sent to the Controller/Logout after the endsession. Did you face this before?
from identityserver4.wsfederation.
@iyhammad - and you included Audience in the hint? Because from Idsrv4 code, that is what is causing this failure TokenValidator
from identityserver4.wsfederation.
@pi3k14 Thank you very much. I was adding it but in a wrong way.
from identityserver4.wsfederation.
Hi
The suggested solution to pass an id_token_hint from the WsfederationController with the wtrealm does not work when using IdentityServer as a claims provider in ADFS 2016. ADFS 2016 does not pass the wtrealm parameter to the claims provider on signout. I went back to my IdentityServer 3 claims provider in ADFS 2016 and this one handles the signout ok without the wtrealm parameter. Why does IdentityServer 4 require this? Is there another way to generate the id_token_hint? Perhaps with the suggested WsFederationSignoutRequestValidator? Will it be able to generate the id_token_hint without the wtrealm parameter?
thanks
Remco
from identityserver4.wsfederation.
Related Issues (12)
- SAML 1.1 Token Comparison HOT 3
- Necessity of full .NET framework HOT 3
- Code for Relying Party store using a database HOT 3
- Upgrade to latest IdentityServer4 and aspnetcore version HOT 4
- wfresh="0" support and a NuGet package HOT 3
- Signout without wtrealm with IdentityServer as claims provider in ADFS 2016 HOT 3
- Incorrect parameter used when performing home realm selection
- how to handle ws-fed encrypted security token? HOT 1
- SAML Token Lifetime HOT 3
- NameIdentifier claim added twice HOT 1
- Would using Microsofts WsFederation-Implementation make it less complex? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver4.wsfederation.