Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting to accept unsigned Logout messages #446

Closed
lindea opened this issue Apr 7, 2016 · 6 comments
Closed

Setting to accept unsigned Logout messages #446

lindea opened this issue Apr 7, 2016 · 6 comments
Labels
enhancement
Milestone
v2.7.0

Comments

@lindea
Copy link

lindea commented Apr 7, 2016

Hi!

I have a problem with the single signout functionality.
I'm using AS.Owin 1.7.2 on a site with multiple domains (actually it's several sites in same application).
I create SP for all domains dynamically like this:

foreach(var domain in domains){
 app.UseKentorAuthServicesAuthentication(CreateAuthServicesOptions("kentor", domain.Name));
}

This works fine for login, and the login request is called with the right metadata based on the domain.
For the logout request the issuer is always from the first domain, and thus fails.
Each SP has it's own unique module path.

For the logout I use
OwinContext.Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie, DefaultAuthenticationTypes.ExternalCookie);

This doesn't seem to trigger single sign out, so I redirect to /logout where the signout request is triggered.

Any suggestions?
@AndersAbel
Copy link
Member

You need to include AuthServices in the sign out types. Either sign out of everything by calling OwinContext.Authentication.SignOut() or include the signin-type of the AuthServices instance that you want to sign out of.

@lindea
Copy link
Author

lindea commented Apr 7, 2016

Thank you for The super fast response!
I was able to trigger signout by specifying the AuthenticationType as you suggested. The problem now is that the respons is required to be signed, which it's not. Is there an option to turn off that requirement?

@AndersAbel
Copy link
Member

There's no option to turn of the signing requirement for logout messages. It's part of the profile spec section 4.4.4.2:

The responder MUST authenticate itself to the requester and ensure message integrity, either by signing the message or using a binding-specific mechanism.

But if you really need an option to switch it off, I can consider adding it.

@lindea
Copy link
Author

lindea commented Apr 7, 2016

Thanks again. I'll have a talk with the idp-guys first and hear what they have to say.

@lindea
Copy link
Author

lindea commented Apr 12, 2016

Hi again!
I've talked to the Idp, and they do not provide signed logout response despite the requirements. They might do in the future though. It would be nice to be able to choose whether or not to accept unsigned logon responses, so I'll be grateful if you would consider implementing this.

@AndersAbel
Copy link
Member

I see the need for it, but as this is very non-standard it's far down on the priority list for free-time development. If you want to sponsor the development to get it done faster, please drop me a mail.

@AndersAbel AndersAbel changed the title Wrong issuer in dynamically created sp single logout Setting to accept unsigned Logout messages Apr 15, 2016
@MinhNguyenDev MinhNguyenDev mentioned this issue Nov 14, 2016
Closed
@AndersAbel AndersAbel mentioned this issue Feb 20, 2018
Closed
@cederlof cederlof mentioned this issue Feb 28, 2018
Closed
@henrikottesorensen henrikottesorensen mentioned this issue Mar 25, 2020
Merged
AndersAbel added a commit that referenced this issue Apr 14, 2020
@AndersAbel
Compat flag to allow unsigned logout response
cf1285d 
- Fixes #446
- Closes #590
- Closes #924
@AndersAbel AndersAbel added this to the v2.7.0 milestone Apr 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
v2.7.0
Development

No branches or pull requests
2 participants
@lindea @AndersAbel