Azure ACS: Cannot completely log out...
-
2012年6月15日 下午 06:20
Hello,
We are interested in using ACS for authentication for our single web app, and I have successfully integrated it into our existing web app. Sign-in is working great! But, when the user tries to log out of our application, it does not completely log them out... For example, if the person logged into the system using Google, when they log out of our application, close the broswer, and go to our website, they are still logged in. They only have to click the Google button and they are in our application. I've spent hours and hours experimenting with postings from a lot of users, but none of the recommendations is correcting the issue. So, here are two questions:
1) When a user wants to exit our application, how can he/she completely exit it so they have to log in again with the authentication provider?
2) After logging out of our application, how can we redirect the user back to the login page or to something that is more attractive than the default webpage that says, in black and white, "Close your browser...". No offense, but yuck! :P
I really like ACS and would like to use it, but these two issues are show stoppers... Hopefully, there is a good answer for them.
Thanks for your help and suggestions,
Mike
Here is our logout code:
if (HttpContext.Current.User.Identity.IsAuthenticated && FederatedAuthentication != null)
{
if (FederatedAuthentication.SessionAuthenticationModule != null)
{
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Delete();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
FormsAuthentication.SignOut();
}WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
if (authModule != null)
{
string signoutUrl = (WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(authModule.Issuer, authModule.Realm, null));
WSFederationAuthenticationModule.FederatedSignOut(new Uri(signoutUrl), new Uri(authModule.Realm));
}
}
所有回覆
-
2012年6月16日 下午 10:27
After a ton of research and experimentation, I have answered these questions...
Q1) Is it possible to get a persistent, unqiue identifier for a user who has been authenticated through ACS?
Azure ACS does support SAML 2.0, so it can provide the nameidentifier value to your application for the authentication provider. When you "Add STS References..." to
your Visual Studio project, it created a file in your project named "Federation Metadata.xml". Open this file and add the following line to the end of the
<fed:ClaimTypesRequested> list:
<auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/nameidentifier" Optional="false" xmlns:auth="http://docs.oasis-
open.org/wsfed/authorization/200706" />
So, now you will receive this item in the claims that are returned after logging into an authentication provider. So, how do you access the nameidentifer value? In
your .aspx.cs file that will be accessed after authentication:
Add the following namespace:
using Microsoft.IdentityModel.Claims;In your method where you will verify the authentication, do the following:
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;// Access claims
foreach (Claim claim in claimsIdentity.Claims)
{
if (claim.ClaimType.CompareTo(@"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier") == 0)
{
// Okay, let's get the persistent name identifier...
string nameId = claim.Value;
.
.
.
}
}I know that Google ensures that the nameidentifier will be persistent and unique for the user unless you change the domain name that you've assigned when signing up
for authentication services for your domain on their website. We are only using Google for authentication at this time, so we have resolved our issue with the
changes that I have mentioned. A quick look at the results from logging into Live! and Yahoo! is that I am getting sensible nameidentifier values, but I do not know
for a fact that they are persistent and if they are persistent or under what conditions they may change. Hopefully, another user will post info for Live! and Yahoo!
Q2) How to completely log out (i.e. completely log out of Google)
There is a lot of confusion out there about this issue. From what I have read, it is not the intention, at this time, to provide the ability to log out of theauthentication provider when leaving our application because it would affect a user's other sessions in which they signed in using the same authentication provider.
So, we are experimenting with passing the following POPE Extensions when authentication has begun so that when the user logs out of our application, he/she must
enter a password to access it again.
openid.ns.pape
openid.pape.max_auth_ageThis seems like a reasonable approach, if it works...
Here is where we are at with our logout process, but we are still working on it...
using Microsoft.IdentityModel.Web;
using System.Web.Security;
.
.
.
if (FederatedAuthentication.SessionAuthenticationModule != null)
{
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Delete();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
FormsAuthentication.SignOut();// Redirect to our login page?
}
Please note that I am simply posting this information in the hope that it may help others... I am not saying that my solution is the best or only one. It simplymeets our requirements.
Thanks,
Mike
- 已標示為解答 A Bit of Help 2012年6月16日 下午 10:27
