Is IdentityServer3 WindowsAuthentication post logout redirect possible? - windows-authentication

I was wondering if it is possible to add a redirect Url to the post-logout action when using the Windows Authentication module of IdentityServer3? Currently, it seems to leave users on a blank page.

If you're using the WindowsAuthentication module, then you don't want to redirect to that STS for signout (since it's all about integrated windows auth, and the only sighout is logging out of the windows machine). I'd suggest to suppress the redirect for signout to the WindowsAuthentication STS in the WS-Fed Katana middleware you're using in IdentityServer. Handle the RedirectingToIdentityProvder (or whatever the event is called) and call the API to suppress the redirect.

Related

How to force creating a new session in Keycloak to authenticate CLI apps using OIDC Protocol

I have a webapp that uses Keycloak for user management and auth provider successfully.
The same application requires a CLI tool for some operations (similar to the gcloud CLI + web console).
I've implemented the CLI part using the OIDC Authorization Code Flow that opens the browser for the user to authenticate. It works like a charm.
However, if the user logoff from the browser, Keycloak will invalidate the session and the cli will have to re-authenticate to get a new access_token and refresh_token.
My question here is, how can I force the CLI app login to create a new session separate from the browser session.
Or, if not possible, what's the correct way of achieving this?
Eventually, found out that I just have to add the scope offline_access to the list of scopes I am requesting. Keycloak will then create a new offline session (bad name for the feature, Offline just means that the user doesn't have to be present, but all the refreshes happen the same way)
https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/sessions/offline.adoc

Logout from Keycloak does not logout Active Directory User

We have integrated KeyCloak server with Azure Active Directory as Identity Provider for SSO Login.
Log-in is working fine. However we facing problem with log-out, When user logs-out from web application, from our backend server side code we are making REST call to Keycloak server for below API.
https://keycloaktest:8443/auth/realms/<realmName>/protocol/openid-connect/logout
for this REST call we are getting 204 status code as response.
However when User tries to log-in in application again from browser it does not ask to enter credentials (active directory credentials).
In order to log-out User. We have access below URL
https://portal.azure.us/#home
and click log-out there.
https://portal.azure.us/Account/SignOut
Is there anyway to achieve this in backend i.e. when User clicks logout from browser
Just ran across this myself. The answer provided here: Logout user via Keycloak REST API doesn't work worked for me. Try adding client_id and refresh_token to your /logout request.

Google Auth API - idpiframe_initialization_failed on Production environment

I integrate Google's Auth API in my production website.
When I enter the login page, it throws an idpiframe_initialization_failed exceptions to the console.
I found out that I can fix it by enabling that API / Cookies in my chrome browser, but I want to find a comprehensive solution that will prevent those exceptions in my production environment.
So my two questions are:
What do you suggest me to do in order to achieve that?
In general, what is the meaning of those excpections?
Thanks :)
If you have a production url like http://godaddysite.com etc host your page there with a Webserver.
Opening a htnl page from your computer with javascript doesnot work as it is not hosted on webserver.
Please check your redirect url etc when you created Oauth client.
Go to the Credentials page.
Click Create credentials > OAuth client ID.
Select the Web application application type.
Name your OAuth 2.0 client and click Create
check origins
create new OAuth with correct origins.

WebSphere form based authentication logout mechanism not logging out

I am analyzing code. It is a Wicket application using WebSphere form based authentication.
The program has the ibm_security_logout form mechanism implemented.
When being logged in, I copy the current URL to the clipboard.
When logging out using the form, I seem to be logged out. However, when using the copied URL, I am back in the GUI, being logged in.
So the session is still valid? How can I make sure I am actually logged out, and redirected to the login page when using 'old' URLs?
Thanks!
Check that security is enabled for applications in admin console, menu Security > Global security, checkbox "Application security".
Check that there is no security interceptor in menu Security > Global Security > Trust association > Interceptor
Connect to your application using Chrome or Firefox and open "developer tools" panel. Check what happens when you click on logout:
in network tab, browser should send GET request to ibm_security_logout url
in Websphere answer, there should be header Set-Cookie:LtpaToken2="" which should remove LtapToken2. LtpaToken2 is basically session cookie for Websphere.
Look at your cookies using developer tools. LtpaToken2 should not be there anymore.
If step 1 is not OK: your client application logout button is not properly implemented.
If step 2 is not OK: there should be an error in Websphere log file.
If step 3 is not OK (very unlikely): there might cross-domain error, meaning the cookie was set for another domain name.

Avoid CAS login page, use my own login page

I am new to CAS and single signon. Please correct me if my understanding is incorrect, below if what I understand about CAS.
I have 2 web applications
I setup CAS, and when I access URL of WebApp1, it shows me the CAS login page
I fill correct username/password
It takes me in WebApp1
From there I access WebApp2, and it works fine
What I need is as follows:
When I access WebApp1, I must see WebApp1 login page, not that of CAS
Let CAS generate some token for the session
Use this token to authenticate WebApp2 (which the way its working now - step 5 above)
Can someone suggest me how to achieve this?
I am using Java 1.6, CAS 3.4.11, Tomcat 6.
I've made a summary recently on how CAS works.
The principles are written there. Basically it is like this
Access The WebApp1
Show the CAS login page and authenticate
redirect to WebApp1
Now subsequently you do the following
Access WebApp2
the access request is redirected to CAS which without showing a login page authenticates the user
Always under the assumption that both WebApps are configured to use CAS as a login provider and CAS is setup to support both WebApps.
Now in the CAS way what you want to achieve is done like this:
exchange the standard CAS login page with your login page and your done