tag:blogger.com,1999:blog-8263949408347549596.post2286398676947364896..comments2023-10-23T23:19:01.111+02:00Comments on Object-Oriented Software Development: WIF, WS-Federation and Single Sign-out from Multiple Relying PartiesWiktor Zychlahttp://www.blogger.com/profile/04420514974154487039noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-8263949408347549596.post-1008887062425786512013-07-03T13:01:14.085+02:002013-07-03T13:01:14.085+02:00I tried to implement single Sign-Out in my applica...I tried to implement single Sign-Out in my application as discussed. I wanted to use the FederatedPassiveSignInStatus control. But when i tried to implement it in one of my RP, i'm getting an error "A SessionAuthenticationModule must be added to the ASP.NET Module Pipeline"<br /><br />Can you please help?<br /><br />Hariharihttps://www.blogger.com/profile/03222484648706299427noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-48594930179713078902013-06-28T09:48:41.989+02:002013-06-28T09:48:41.989+02:00The ADFS should never clear any custom cookies, if...The ADFS should never clear any custom cookies, if it does, make sure these cookies don't hit ADFS. You make it so by issuing your custom cookies for your IdP host name - the browser won't send cookies to adfs.yourdomain.com when cookies are issued from idp.yourdomain.com.Wiktor Zychlahttps://www.blogger.com/profile/04420514974154487039noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-45660538240579753522013-06-27T22:03:26.553+02:002013-06-27T22:03:26.553+02:00Thanks so much for your help with the SSO, Wiktor....Thanks so much for your help with the SSO, Wiktor. Our system is working very fine with Single-Sign-On and Single-Sign-Out now.<br /><br />There still is a little thing that I don't really understand: I set some custom cookies when logging out, and those cookies can be seen from the custom IdP (if I sign in using custom IdP before). However, if I sign in with ADFS (integrated authentication), my custom cookies are cleared when I try to access from SignOut.aspx (same when using Fiddler to trace).<br />I can see that ADFS does clear all the cookies before initiating SignOut.aspx page, so I guess it's internal implementation of ADFS.Anonymoushttps://www.blogger.com/profile/00661836033207655904noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-75630181386204827482013-06-19T22:06:07.171+02:002013-06-19T22:06:07.171+02:00Did you read my answer to your SO question? The tr...Did you read my answer to your SO question? The trick would be to replace images with iframes.Wiktor Zychlahttps://www.blogger.com/profile/04420514974154487039noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-65581279685641870232013-06-19T20:37:49.950+02:002013-06-19T20:37:49.950+02:00Hi Wiktor,
What's about Single-Sign-Out in th...Hi Wiktor,<br /><br />What's about Single-Sign-Out in the scenario that STS acts as a IdP through ADFS2.0, and ADFS2.0 is the federation provider to all RPs?<br /><br />I have problem with Single-Sign-Out in this scenario. IdP (STS) does successfully sign out and also sends the wsignoutcleanup1.0 action back to ADFS2.0. But it seems that the sign out process stops at ADFS2.0.Anonymoushttps://www.blogger.com/profile/00661836033207655904noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-15967458787591122942012-02-17T14:57:20.964+01:002012-02-17T14:57:20.964+01:00when i logout i am displayed with a browser having...when i logout i am displayed with a browser having url parameters signout1.0. hence i cannot login back to the url. <br /><br />can any one help me out in this.NILESHhttps://www.blogger.com/profile/08096054696938600235noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-10187589194779359432012-01-06T10:15:14.520+01:002012-01-06T10:15:14.520+01:00Without inspecting the code I can't say anythi...Without inspecting the code I can't say anything. I assume that we say about a custom STS (not the ADFS2 for example) and this is probably where the problem lies - a subtle problem in the implementation prevents the STS from behaving correctly.Wiktor Zychlahttps://www.blogger.com/profile/04420514974154487039noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-85982692796221195052012-01-06T09:54:14.599+01:002012-01-06T09:54:14.599+01:00Hi Wiktor,
Thank you very much for the tip. I am ...Hi Wiktor, <br />Thank you very much for the tip. I am now able to signout from multiple RPs. But i am having a weird problem. When all the RPs and STS are deployed on the same server, and user tries to re login after being successfully signout from any of the RPs, he has to login twice. On the first try, it refreshes the login page and again user has to supply credentials. Second time , it successfully redirects to requested RP page.<br />Single-sign on and single sign out has no issue. only on the STS login page, a refresh occur first time when user tries to re-login.<br />This issue do not occur if i deploy each RP and STS on different server. Every thing works fine in this case.<br />Do you have any idea why this could occur?<br />ThanksGauravhttps://www.blogger.com/profile/10143071534359602062noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-72774658248406174192011-11-17T11:34:48.654+01:002011-11-17T11:34:48.654+01:00alex, if I understand the question correctly then ...alex, if I understand the question correctly then yes, passive WS-Federation always works across different domains.Wiktor Zychlahttps://www.blogger.com/profile/04420514974154487039noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-38952087823904017682011-11-17T10:11:57.633+01:002011-11-17T10:11:57.633+01:00Thanks. This article really helpful. It solves at ...Thanks. This article really helpful. It solves at least I found where the is root of the problem.<br /><br />Does this solution work for cross domain RP?alexnoreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-74531574561931671142011-07-01T16:23:25.425+02:002011-07-01T16:23:25.425+02:00Hi, I am sorry but I could not understand your que...Hi, I am sorry but I could not understand your question:<br />"Are you sure that you do not have two different RPs which by accident share the same name for authentication cookie? "<br /><br />My STS creates an authentication cookie based on username, the standard FormsAuthentication way. This is not specific to any RP. Coming to RP, the authentication type is set to "None". WIF has it's own cookies FedAuth, FedAuth1 etc and I happened to notice that for my two different RP's, the FedAuth cookies have diferent paths. For RP1, path would be /RP1/ and so on.<br /><br />Am I missing something?Ghanshyamhttps://www.blogger.com/profile/16132621778317405798noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-29674349933700686482011-07-01T16:09:25.237+02:002011-07-01T16:09:25.237+02:00I have no idea why you encounter issues. If a sing...I have no idea why you encounter issues. If a single RP is deployed in a web-farm and the authentication is cookie-based then, to me, it seems impossible that when the cookie is removed it is still present at the other server in the farm. <br /><br />Cookies exist in your browser, so if a cookie is deleted, it's gone. There's no way for a cookie to be magically resurrected after it's deleted.<br /><br />Are you sure that you do not have two different RPs which by accident share the same name for authentication cookie?Wiktor Zychlahttps://www.blogger.com/profile/04420514974154487039noreply@blogger.comtag:blogger.com,1999:blog-8263949408347549596.post-2919463287727388222011-07-01T13:24:50.924+02:002011-07-01T13:24:50.924+02:00Good tip! However, all works when I have a single ...Good tip! However, all works when I have a single STS and multiple RP's. I am not seeing it work when the STS and RP is deployed in web-farms. I am currently testing with two RP's deployed in web-farm and my STS also deployed in web-farm.<br /><br />In the STS logout page, both the RP's show green tick mark. Howver, the RP where the logout is clicked only signs out and Fed' cookies are not present, whereas the other RP is still signed in and I can still see that the Fed' cookies are still present. <br /><br />How do I handle this? Any ideas??Ghanshyamhttps://www.blogger.com/profile/16132621778317405798noreply@blogger.com