DNN single sign on through webservice - single-sign-on

I have implemented SingleSignOn for my DNN site say www.example1.com. There is another site called www.example2.com. Both the sites will redirect to a common login page which uses a webservice to authenticate the users from external database.
The problem is, when i clicks on login button in example1.com, the user will be redirected to common sso login page, and after successful authentication, he will be redirected back to the original site. If I opens a new tab and enters the url that example2.com, the user is not being logged in.
But, if i clicks on login button in example2.com, the user is automatically getting logs in.
What I want exactly is, when I logs into one site in first tab and opens another site in the second tab, on the page load only the user should be logged in, but not on the login click.
How can I handle this issue ? Any help is appreciated.

I do something similar to this.
Your database should track users currently logged in. Before you redirect to the common login page, you should check if the user is logged in. Your example2.com is not checking to see if the user is logged on before redirecting to the common login page.
Here is how ours works:
Both sites must check for cookie/Token before redirecting
User Logs into site and is Authenticated
Writes User to Token database
Stores Token in cookie with expiration
Subsequent requests read the token from the cookie and validate against Token database
When user logs out, cookie and database entry are deleted
If user does not log out properly, you must clean up tokens on a set interval

Related

Redirection not happening after logout to the specified website in Azure AD using SimpleSAMLphp when multiple accounts present to be logged out

I have developed an SAML application which only uses Microsoft as IDP for successful login and logout of specific users. So after logout, I want Microsoft to redirect me to the website I have configured in the Logout URL of MyApplication in Azure Active Directory. The log-in functionality works everytime but when I logout in presence of only one Microsoft Signed-In account, it logouts perfectly and redirects me to the website I specified. I am facing the issue when I am asked to choose account to logout from a set of accounts (refer Image) of which when I select the configured account, it log me out perfectly but is unable to redirect me to my specified page. The page gets stuck on "You signed out of your account It's a good idea to close all browser windows." (refer Image). Thus I want to be redirected to the specified page when I am asked to select an account while logging out.
Logout Issue Redirect Image reference
Logout Issue Redirect Image reference
This is a known bug in this library.
Here are some alternatives.
You can use silent logout.
The post logout redirect isn't expected after calling logout. This could be a timing issue.
You can achieve a 'clean' logout by opening a new window and calling logout from there. Then a user is left with an extra open window; but at least they've retained a view of the app and it hasn't lost state.

facebook logout API

I'm using the Manual Login Flow from facebook to login users to my site. This means, redirecting them to accept the app, and the getting their info. (my app is also physical, ==> one browser for many people)
I got it working as I wanted, however, as they are only redirected to login, they are kept logged-in at browser-level, meaning that if another user comes after them and tries to login, they will only be shown the other person's profile, or be redirected as if they logged in.
Thus, I need a log-out method at browser-level, but I can't find any links, or api to logout a user from the browser.
Does anyone know how?
Thanks!

Third-party Login

I have a website that accepts Facebook login. When the user clicks the FB login button, it logs the user into his/her FB, retrieves the user info, and uses that info to login the user at my own backend. After successful login, the page jumps to the main site. For logout, it's the same. I first log the user out of his Facebook, and then out of my own backend (flush the session).
The problem is that the FB login at my site gets mixed with Facebook sessions at other places. If a Facebook loggedin user logs out (FB.logout()), his/her Facebook website will also be logged out. And if the user has logged in his FB somewhere else, when he comes to my site, the FB login button shows a already-logged-in state. But the getLoginStatus() actually shows the status as 'unknown' instead of 'connected', so the page doesn't jump. He has to logout, and then login again, which is pretty weird.
I wonder if there's a descent way to handle this, separating FB sessions at different places. This also applies to other third party authentication issues.

Different domain for Facebook login

In my facebook app I need to authenticate users on a different domain (not facebook.com), for example xxx.facebook.com, is it possible?
Yes, it is possible, only IF facebook endorse it.
For example when we log in the Developers.facebook.com.
Each domain is a child of facebook which mean that you need to have approval by Facebook to create a sub-domain.(well you won't create it but they will)
a little bit of search in the dev section resulted in this,
User authentication and app authorization are handled at the same time by redirecting the user to our OAuth Dialog. When invoking this dialog, you must pass in your app id that is generated when you create your application in our Developer App (the client_id parameter) and the URL that the user's browser will be redirected back to once app authorization is completed (the redirect_uri parameter). The redirect_uri must be within the same domain as the Site URL you specify in Web site tab of the Developer App:
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL
If the user is already logged in, we validate the login cookie that we have stored on the user's browser, authenticating the user. If the user is not logged in, they are prompted to enter their credentials:
Hope this help

Using Facebook Login safely on an insecure page

Suppose I have two URLs:
http://example.com/createinsecureaccount
https://example.com/accesssecureaccount
A possible user flow is as follows:
1. User visits insecure page and creates an account via FB. My site tells the user they are logged in(*).
2A. User visits secure page to access account details via FB.
2B. Man-in-the middle visits secure page and uses credentials stolen during #1 to impersonate the user.
Is there a means for me to differentiate between a login token created on an insecure page and one created on a secure page? My current thinking is that I could use attach a nonce to Facebook's redirect_uri state parameter (https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.3#logindialog ), but I'm unsure if this is reasonable/safe.
(*) This is a half-truth to make the user happy. The site pretends the user is fully logged in until they attempt to access protected content, at which point they will be asked to login again. Sites like Amazon have similar behavior.