Token not clearing properly while single sign out in Kentor - logout

We are implementing SSO with kentor using HTTP module. Our SP is ADFS.
In the ADFS we configured "Transform an Incoming claim" with Incoming claim type as "E-mail Address", OutgoingClaimType as NameID and OutGoing NameId format as "Email". When we logout from the application using("~/AuthServices/Logout?ReturnUrl=~/?Status=LoggedOut") it is redirecting to ADFS Signout page(https://win-3obaenpbsol.dc10.inapp.com/adfs/ls/?wa=wsignout1.0).
and when we try load our application again, It redirect into the application with out asking the login. So the expected result is once we logout it should ask the login again how can we handle this?
Thanks,
Raj
.

Related

Spring SAML Okta - How to redirect to a custom URL in IDP initiated flow

My application's entry point is a custom URL , how do I tell Spring to redirect to my URL after a successful SAML dance ? I am using IDP initiated flow.
In my app. I have several versions defined depending on a client.
e.g Client abc goes to https:\localhost:8443\abc\admin and client xyz goes to https:\localhost:8443\xyz\admin
thanks
Turns out there is a handler called SAMLRelayStateSuccessHandler which redirects to an endpoint defined in "Default Relay State" configuration item in Okta (application configuration).
So first thing go to Okta and specify a redirect URL in "Default Relay State" property. Then add this property to SAMLProcessingFilter :
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(new SAMLRelayStateSuccessHandler());
and once Spring-SAML authenticates successfully it'll redirect to your relay URL.

Single Sign On: SimpleSAMLPhp Service Provider Implementatio

I am implementing a SSO using SimpleSAMLPhp Service Provider.
I provided my metadata to remote Shibboleth Identity Provider and was provided a test account.
When a user visits a specific page on my SP, they get redirected to the IdP, login, and are redirected back to my web site with a bunch of IdP provided attributes. This part works.
This part I am struggling with.
If the user authenticates with the same IdP through a different Service Provider and then visits my page, how do I know they are already authenticated? Currently I am being asked to login again.
Is there a configuration value somewhere that lets me do this? Or am I using the wrong method? This is what I am doing.
$as = new SimpleSAML_Auth_Simple({REMOTE_AUTHSOURCE});
$as->requireAuth(); // this redirects to remote IdP login
$attributes = $as->getAttributes();
Thanks.
There are two separate authentication sessions to consider. One session is in you app and the other is at the IdP. The requireAuth method can tell if the user already has an authenticated session in your application, and will return immediately in that case.
There is no way for you to tell if a browser has a session at the IdP. You just call requireAuth whichs send the user there and if the IdP decides the user's session is still valid it will respond without prompting for login.
Are you saying that the user has a valid session at the IdP and they are being re-prompted to authenticate when you send the user there? That could be due to IdP policy, or if your app was sending something like 'forceAuth' in its AuthnRequest.

ADFS signout returns 404

We have a federation where ADFS3 is our main sign on mechanism with Identityserver as a relying party which is handling our Oauth. So when a user logs in we are redirected via the idserver to ADFS where they login, then we are redirected back and the user now has an oauth token issued by identityserver.
We are having issues with logoff when it is initiated by ADFS. Using fiddler I can see ADFS is redirecting to https://idserver/?wa=wsignoutcleanup1.0 but this is returning a 404.
Is this the right URL its calling?
Have we missed something when creating the idserver?
I don't have a callbackpath configured so assume it should pick this up?
Thanks
The problem is that the Katana Ws-Fed middleware from Microsoft doesn't support signout. You will have to implement this yourself -- middleware seems like an obvious approach.

can ADFS idP send "user not found" to SP?

My customers land on my ADFS IDP-initiated login page. They get authenticated and redirected to SP. Everything looks nice. But I have a few extra users that are not part of idP database (AD domain). I would like to authenticate them locally in my SP but they are never redirected there. They get stuck in ADFS with "wrong username/password".
Is it possible to send SAML message with some "user not found" message to SP ?
I'm using ADFS 3.0
Thank you very much for all ideas and suggestions.
No - that's not the way most IDP work.
You can't leave the login page until you are authenticated.
What you can do is add another IDP for your other users e.g. Identity Server 3 and then federate it with ADFS.

Return to target url after wso2 saml sso authorization

I am creating simple service provider (SP) on java with wso2 saml sso authorization.
I implemented it in this way (please correct me, if I'm wrong):
User inputs some target Url in browser
My SP's servlet sends redirect to WSO2 IDM.
IDM authorizes the user and redirect to my Consumer Url with
SAMLResponse and RelayState parameters.
Now SP must process this request and redirect user to target Url without redirection to IDM again. Otherwise I'll get the infinite loop, so I think that between step 1 and step 2 should be one more step...
What is the proper way to do this?
Typical implementation
1 User tries to access a protected site
2 A filter checks if the user has an authenticated session.
2.1 If not, redirect to IDP/IDM
2.1.1 IDM authenticates user and redirects back to SP with identity proof
2.1.2 SP creates authenticated session
2.1.3 User is redirected to target URL everything start from 2 again.
Here I have a post describing the flow in more detail