I have developed an SAML application which only uses Microsoft as IDP for successful login and logout of specific users. So after logout, I want Microsoft to redirect me to the website I have configured in the Logout URL of MyApplication in Azure Active Directory. The log-in functionality works everytime but when I logout in presence of only one Microsoft Signed-In account, it logouts perfectly and redirects me to the website I specified. I am facing the issue when I am asked to choose account to logout from a set of accounts (refer Image) of which when I select the configured account, it log me out perfectly but is unable to redirect me to my specified page. The page gets stuck on "You signed out of your account It's a good idea to close all browser windows." (refer Image). Thus I want to be redirected to the specified page when I am asked to select an account while logging out.
Logout Issue Redirect Image reference
Logout Issue Redirect Image reference
This is a known bug in this library.
Here are some alternatives.
You can use silent logout.
The post logout redirect isn't expected after calling logout. This could be a timing issue.
You can achieve a 'clean' logout by opening a new window and calling logout from there. Then a user is left with an extra open window; but at least they've retained a view of the app and it hasn't lost state.
Related
we have an OutSystems Mobile App (PWA)
We would like to add Azure AD SSO
We have tried Idp Mobile, but it is not for PWA
We have tried to embed in an iframe the login to login.microsoftonline.com, but it is not framable (CSP)
So we tried to follow this doc: https://learn.microsoft.com/it-it/graph/auth-v2-user
but again the html returned by the authorize api is not framable :(
is there a solution?
thanks
AAD does not permit framing of pages where credentials are entered as it requires user interaction. When you try Azure Active Directory (AAD) login page inside an iframe, you may go through errors due to defensive measures taken by AAD to prevent malicious attacks.
Some workarounds you may possibly try which may work in few cases.
Make sure reply urls set are same everywhere in app and in portal.
AAD has headers set to prevent their login page from being displayed in a frame.
prompt parameter indicates the type of user interaction that is required.Try setting it to none which means user interaction not required(if it is ok in your case).It is optional parameter added in login url in the iframe (&prompt=none).
Also &domain_hint={userdomain.com} is added at the end or url request where {userdomain.com} is the last part of the user's email address - e.g.user#userdomain.com > OAuth 2.0 authorization code flow | Microsoft Docs
Try to close and test few times to make sure it works and then login with work account in edge or chrome browser.(or from https://portal.office.com)
Reference:
aad-iframe | nafis.dev
-->User opens Service Provider URL and the WSO2 login screen is presented for entering credentials
-->User does add a browser bookmark from the current page to be able to access it in the future
-->Bookmark works fine for a period of time, then it stops working properly, the following error is displayed after entering the credentials
The reason for the error is that the WSO2 login page has some parameters in the URL that expire after a period of time, specifically sessionDataKey which is identifier for particular Service Provider.
Can someone help resolving this issue.
This was a known issue and seems to be fixed in next release.
https://wso2.org/jira/browse/IDENTITY-5199
As a workaround, users can bookmark the landing page after the login. Then, if there is no valid session, they will be redirected to the login page.
I have implemented SingleSignOn for my DNN site say www.example1.com. There is another site called www.example2.com. Both the sites will redirect to a common login page which uses a webservice to authenticate the users from external database.
The problem is, when i clicks on login button in example1.com, the user will be redirected to common sso login page, and after successful authentication, he will be redirected back to the original site. If I opens a new tab and enters the url that example2.com, the user is not being logged in.
But, if i clicks on login button in example2.com, the user is automatically getting logs in.
What I want exactly is, when I logs into one site in first tab and opens another site in the second tab, on the page load only the user should be logged in, but not on the login click.
How can I handle this issue ? Any help is appreciated.
I do something similar to this.
Your database should track users currently logged in. Before you redirect to the common login page, you should check if the user is logged in. Your example2.com is not checking to see if the user is logged on before redirecting to the common login page.
Here is how ours works:
Both sites must check for cookie/Token before redirecting
User Logs into site and is Authenticated
Writes User to Token database
Stores Token in cookie with expiration
Subsequent requests read the token from the cookie and validate against Token database
When user logs out, cookie and database entry are deleted
If user does not log out properly, you must clean up tokens on a set interval
I have created a website that allow user use facebook login system to regist and login. The system runs good. It can use single sign-on to login the system, so the user does not need to input the username and password --- until yesterday.
One of teammate find that he stucked in the login system, and the single sign-on does not function anymore. The user need to input account detail whatever they have login facebook or not. The most funny thing is, after the user login in facebook login system, it does not redirect the user to the "next" url or redirect them to facebook.com (mostly this means login system setting had eror). It just stuck in the facebook server with empty blank page.
This is the link what I stuck in....
https://www.facebook.com/login.php?login_attempt=1&fbconnect=1&display=page&next=(next url)&req_perms=publish_stream%2Cread_stream%2Cemail%2Cuser_photos&legacy_return=1
without session code, and does not have any reply.
I want to know if I have set something wrong...
Use of legacy_return was deprecated almost a year ago with the migration to OAuth2, and the endpoints were finally shut down today. Please update your integration per https://developers.facebook.com/docs/concepts/login/
well i have used the facebook api couple of times. But last day i just came across a site which was really new to me. Heres the scenario
If a user is logged in at facebook and comes to my site, he will
automatically be logged in without asking him and also if user logs
out of my site he gets logged out of facebook. But the site i saw
yesterday, they had handled it perfectly, user dose not logs in their
site automatically and even if user logs out from their site, he does
not gets logged out of facebook.
So any help? what is this technique called? or any relevant help?
Best Regards
most site handled the login/authenication by using the login status of the user at facebook ends.
to do what u wants, simply add an additional layer of authentication / login status checking at your own site.
The site level login status is to be retained only for the current session. In other words, once the user went away from the site, the site level login status is gone. With this, when the user returns, you know that he needs to login again.
when the user logged out from your site, you only log him out of your site and do nothing about facebook login
Using the Facebook SDK it will likely tell you the user is logged out when not logged into Facebook, which in theory is the correct behaviour of the whole system, as Facebook want user's to always be connected to Facebook, I quote facebook:
As long as the user is signed into Facebook, they are automatically signed into your site as well.
So if they aren't connected to Facebook, you aren't connected to other sites. In a way it's a deterrant and increases Facebooks market.
But anyhow, it's likely the site you are describing are implementing their own authentican system rather than using Facebook's own SDK, or if they are using the SDK they are using it in moderation and understand about cookies/the above.
The flow to allow the user to be logged into Facebook but out of your site is as so:
When a user logs out of their site, it will unset session data for the site's own application, and also unset Facebook cookies, etc. That way the user is still logged into Facebook but out of your site.
When they try to log in again, Facebook will detect no cookies are available and hence will re-authenticate and pass you onto the url as passed during the authentication process. Your site will then login the user to the site's own application, setting any session variables, etc.
you need to check how you are handling the FB logins and sessions at your end..
my guess is you check the is login at your site and there are some access_tokens which are as per your app id in the cookies of your browser which are helping you to log in ..
and when logging out from your site you are explicitly logging out the user from FB as well
( thats what you are describing atleast )
you seem to be explicitly calling logout or clearing the cookies for fb app id ..