wsfedsignout error in cookie path and permanent? about identityserver2 HOT 7 CLOSED

Thx for the report. Will look into it.

from identityserver2.

Good point.

Also - Paul - for signout via HRD - i should rather do a redirect e.g. to the ADFS signin endpoint, right?

from identityserver2.

I am not done yet with HRD testing. I will report on that one later.

from identityserver2.

thanks!

from identityserver2.

The short answer is: YES.

The long answer is that an intermediate issuer (federation sts) should remember the upstream IP that has authenticated the user. When wsignout1.0 arrives a redirect (with wsignout1.0) to the upstream RP is required. Typically a memorie cookie (path is application path) is used to remember this.

But now trouble ....
Officially it is SingleSignOn. So there is only one identity (and therefor only one upstream IP) per DOM session (say IdP-a). But if you allow an authenticated user to also logon have an extra identity (by allowing an extra authentication) by using a whr=IdP-b, then you are in trouble. Because when signout is pressed then this path should be cleared to. It is non-trivial (if possible) to know which identity must be cleared....
And a fork (two identities) cannot be cleared with single signout? ADFS2 - rollup2 - was messing around with this. Lots of people were upset....
The classical way to avoid this is not allow two identities (in a single DOM session). Only allow whr to override realm cookie when the user is not authenticated (yep another memory cookie). But don't be surprised if some people do not like that.

from identityserver2.

ClearEndpoint now sets the path.

from identityserver2.

(partially) closed. HRD signout problem will be addressed separately.

from identityserver2.