Force reauthenticate with adfs - single-sign-on

I have seen a similar post but that was more related to ASP. I will explain my situation below.
I am developing a SP(Relying Party) and integrating with ADFS (IDP). Since I am in the integration phase, I want ADFS to forget that I have previously authenticated so that each time I hit the ADFS endpoint (/adfs/ls) with AuthnRequest, I want it to ask for my credentials.
I believe ADFS by default, remembers clients by their remote IP/host name so clearing cookies on client machine does not help. There was a post that gave a link to logout from IDP (https:///adfs/ls/?wa=wsignout1.0&wreply=https:///adfs/ls/?wa=wsignoutcleanup1.0). The ADFS says I have been logged out but when I hit ADFS endpoint, ADFS redirects back to SP with successful AuthResponse.
Can you please tell me how to force reauthenticate/logout on ADFS or point me to the right articles?

The FederatedPassiveSignInStatus control (which should be part of VS if you've installed all the WIF stuff) will help you. Add it to your app. and clicking it will log you out of everything.
Also AD FS: How to Invoke a WS-Federation Sign-Out

Add wfresh=0 as a URL parameter.
This parameter indicates "freshness requirements".
According to the spec:
If specified, this indicates the desired maximum age of authentication specified in minutes.

Related

ADFS as a SAML Service Provider interacting with other Relying Parties

I have a web application that is capable of being a SAML 2.0 IdP as well as a SP, and have successfully implemented SSO between my platform and ADFS, but only when ADFS is the IdP.
This is my first foray into integrating with my platform, using ADFS as a SP and I'm having problems understanding the SSO flow.
In my situation, I have three players: WebApp (IdP), ADFS (SP), RelyingParty (S). The trusts are set up in ADFS, and the user experience is supposed to be a successful login to the RelyingParty having logged in to the WebApp
Setting up a new Claims Provider Trust in ADFS with my web app appear to work perfectly. I can go to my app's IdP-initiated URL which sends an unsolicited SAML message to ADFS's ACS URL. When I do this, I get redirected to /idpinitiatedsignon with the message "You are signed in" and a drop-down of the relying parties I've already set up.
If I click on the login button for the RP, ADFS generates a new AuthNRequest to my web app before eventually getting to the Relying Party.
So, seeing this behaviour, I have two questions:
I would have thought that the initial sign in to ADFS via my IdP-initiated login would have got me though to my RP without the need for going back to the IdP for another sign-in. have I misunderstood, or have I just misconfigured ADFS?
What mechanism is ADFS determining that my IdP is to be used? If I go to the ADFS /adfs/ls/idpinitiatedsignon.aspx page in a browser, I've not involved my IdP at all, and selecting my RP does use my IdP to authorize the user but I've no idea how this is determined since there's no link between the Trust Claims Provider and the Relying Party in ADFS configuration.
What happens if you use loginToRp:
https://your-adfs-server/adfs/ls/IdpInitiated.aspx?loginToRp=your:relying:party:id
You have chosen to use IDP Initiated to ADFS. So ADFS handles the authentication.
If you want to involve your IDP, you need to use SP-Initiated flow from the RelyingParty (S).
Then ADFS will show you the Home Realm Discovery screen and you can pick your IDP.

SAML SSO: keeping users logged in after validating the SAML Assertion

I am implementing front-channel SAML 2.0 SSO golang Service Provider, with Okta as my Identity Provider (this is just a POC and should eventually work with any IdP).
Implementing the sign on process was straightforward with saml2 package. I've created the login endpoint that redirects to the SAML application login URL at the intended IdP, as well as the POST callback endpoint which is properly receiving the SAML assertion and is able to validate it. After that a session with a random cookie is created with the same TTL as the Identity Provider session TTL. So far everything works well (I haven't implemented Single Sign-Out yet, but I'm planning to).
However, when some time passes and the session expires, I'd like to renew it only if the user is still logged in with the Idp and hasn't been removed from the SAML Application. I would like to avoid redirecting the user to perform SSO again with IdP, because it would mean that if they are still logged in, they would be redirected back to the home page of my application. I wasn't able to find great sources on my options to go about it online.
Questions:
1.1 One solution that comes to mind is storing the requested URL in the RelayState parameter, whenever the session has expired, then redirect the user to the IdP SSO URL. When the redirect returns to the SAML callback POST endpoint, check the RelayState parameter and if set, redirect back to that (original) URL. That means that for users that use the system continuously, I would have to request Assertions very often. Does that make sense?
1.2 A second solution that comes to mind is to implement a back-channel of communicating directly from my SP to the IdP. That would allow me to verify a user is still logged in 'behind the users back'. If that's a sound idea:
a. Do I need to have dedicated code for each IdP?
b. Do I need to load an API key to the IdP which would allow secure communication?
c. Do I need to upload a public certificate to the IdP that would be able to verify that my SP signed the requests?
Will using the Assertion to get an OAuth 2.0 Access Token help me in achieving this?
I've chosen SAML 2.0 for now, since the environment is an enterprise oriented one and I thought it fits well with it based on what I read. Would using OpenID Connect instead help achieve my goals easier and fit well with enterprise oriented products?

ADFS signout returns 404

We have a federation where ADFS3 is our main sign on mechanism with Identityserver as a relying party which is handling our Oauth. So when a user logs in we are redirected via the idserver to ADFS where they login, then we are redirected back and the user now has an oauth token issued by identityserver.
We are having issues with logoff when it is initiated by ADFS. Using fiddler I can see ADFS is redirecting to https://idserver/?wa=wsignoutcleanup1.0 but this is returning a 404.
Is this the right URL its calling?
Have we missed something when creating the idserver?
I don't have a callbackpath configured so assume it should pick this up?
Thanks
The problem is that the Katana Ws-Fed middleware from Microsoft doesn't support signout. You will have to implement this yourself -- middleware seems like an obvious approach.

ServiceNow Single-Log-Out (ADFS) redirects back to ServiceNow and logs you in again

We have ServiceNow among other applications configured in ADFS for SSO, ServiceNow is the only app using SP Initiated signon however.
Sometimes when you log out, it behaves as it should and goes to https://adfs.example.com.au/adfs/ls/?wa=wsignout1.0 and tells you that you are signed out but sometimes instead of going to the signed out page you just get redirected back to ServiceNow, (you can see another SAML request happening and it lets you in) and your session is still logged in. Obviously this represents a security issue! The User logs out then leaves the machine without looking and the session is still open!
Anyone come across this before? It seems SP Initiated Sign On is buggy and I need to fix these log out issues for security reasons.
The wa=wsignout1.0 is intended to use for wsfed applications. servicenow as a SAML2 app should be sending a properly constructed samlp:logoutrequest to the /adfs/ls endpoint to do a signout properly.

Single Sign Out with ADFS and STS

We currently have problems with Single Sign Out with ADFS 2.0 and an external IP-STS. Our setup is that:
RP1 <-- trust --> ADFS 2.0 <-- trust --> Custom IP-STS
RP2 <-- trust --> ADFS 2.0 <-- trust --> Custom IP-STS
The Single Sign On part works very well that if users have already logged on using Custom IP-STS to access RP1, thereafter they can access RP2 in the same browser session without having to log on again.
However problem comes in sign out process. When users sign out from RP1, by using Fiddler we can see that:
Sign out request (wsignout1.0) is sent to ADFS
ADFS transfers sign out request to Custom IP-STS
Custom IP-STS processes sign out action properly, and then returns back to ADFS
ADFS does return back to (signed out) RP1
RP1 is no longer authenticated, so of course is prompted for logging in again (CORRECT)
HERE IS PROBLEM: RP2 is still able to work without any problem (with previous claim set). And ADFS does not send any wsignoutcleanup1.0 action to RP2.
I assume that ADFS should do sign out for all RPs having the same session, but it doesn't. Am I wrong? Or am I missing some kind of configuration here?
Of course we have option to explicitly send wsignoutcleanup1.0 action to RPs from Custom IP-STS, but we need to parse the "wctx" in order to get the original RP Url which I don't want to.
I also tried to send wsignoutcleanup1.0 action back to ADFS from Custom IP-STS (step 3), but it didn't help also.
My guess is that you are not returning iframes with wsignoutcleanup but rather images. Thus, adfs does not return nested iframes, in other words it doesn't escalate signout properly.
A correct sequence is
1 application sends the signout request to adfs
2 adfs escalates the request to the external sts
3 sts returns sequence of iframes pointing to authenticated applications (adfs in this case) with wsignoutcleanup
4 adfs returns a nested iframe with wsignoutcleanup to all authenticated apps, including rp1 and rp2
It sounds like the custom STS is not sending the signoutcleanup to ADFS.