Comments (7)
Thx for the report. Will look into it.
from identityserver2.
Good point.
Also - Paul - for signout via HRD - i should rather do a redirect e.g. to the ADFS signin endpoint, right?
from identityserver2.
I am not done yet with HRD testing. I will report on that one later.
from identityserver2.
thanks!
from identityserver2.
The short answer is: YES.
The long answer is that an intermediate issuer (federation sts) should remember the upstream IP that has authenticated the user. When wsignout1.0 arrives a redirect (with wsignout1.0) to the upstream RP is required. Typically a memorie cookie (path is application path) is used to remember this.
But now trouble ....
Officially it is SingleSignOn. So there is only one identity (and therefor only one upstream IP) per DOM session (say IdP-a). But if you allow an authenticated user to also logon have an extra identity (by allowing an extra authentication) by using a whr=IdP-b, then you are in trouble. Because when signout is pressed then this path should be cleared to. It is non-trivial (if possible) to know which identity must be cleared....
And a fork (two identities) cannot be cleared with single signout? ADFS2 - rollup2 - was messing around with this. Lots of people were upset....
The classical way to avoid this is not allow two identities (in a single DOM session). Only allow whr to override realm cookie when the user is not authenticated (yep another memory cookie). But don't be surprised if some people do not like that.
from identityserver2.
ClearEndpoint now sets the path.
from identityserver2.
(partially) closed. HRD signout problem will be addressed separately.
from identityserver2.
Related Issues (20)
- How to redirect to a custom page on WS Federation signout in MVC app
- ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key
- Link and GitHub Pages broken
- Federation with External Identity Providers HOT 1
- Disable SSL and Mixed Mode Security
- User Roles in a Azure AD SSO Scenario
- Missing "Role" as a claim in SharePoint server
- Pass whr to Identity Provider HOT 2
- Win10 AAD sign in - unsupported GET for WS-Trust MEX
- Redirects to /account/signin HOT 1
- Could not find a base address that matches scheme http for the endpoint with binding CertificateWSTrustBinding
- IdentityServer v2 HOT 1
- Thinktecture.IdentityModel.45 is not in git
- login loop
- 'ClaimsIdentity.BootstrapContext' could not be mapped
- WIF10201: No valid key mapping found for securityToken
- "Authorization for token issuance failed because the user is anonymous" when calling service from console client.
- IdentityServer2 integration with PingFederate using WS-Federation protocol HOT 1
- Clustering IdentityServer v2 for high availability
- Disappearing Client Secret HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver2.