Signout not killing SF Session
So I've got a site integrated with ADFS, and it's working great for sign in. I can't figure out what to do with the signout URL. My link is set to mysite/.../SignOut and I've tried several different endpoints in the ADFS Relying Party configuration, nothing seems to be working. Any thoughts on what I can do to implement a true signout?
Thanks,
George
Hi George,
Actually the ADFS integration using Windows authentication in Sitefinity is interesting thing. It works seamlessly for login because the authentication happens "behind the scenes" in several requests between the browser and the server without user interaction. So what happens when you click the logout button (calling the SignOut) - you have been signed out. For example if you have user information displayed somewhere on the page - it will show - Anonymous. But if you have a resource on the page which requires authentication you will again be logged in because of the automatic requests that happen behind the scenes.
So if that's not ok for you - what do you expect? What is the desired behavior of the "true signout"?
Regards,
DimBo
Telerik
Hi DimBo,
I want the users to no longer be able to access my restricted resources in the site. That's the ultimate goal when they click logout, so that they can walk away and trust that no one is going to get into their items.
George
Hi George,
I understand your concerns. But as long as you use ADFS integration with Windows Authentication within your site (no matter if it is Sitefinity or some other) when it asks for authentication the ADFS will "tell" the application who the user is (automatically).
So in order to prevent the automatic login you could configure only the LDAP provider in Sitefinity (without Windows Authentication). This way the users will be asked for their domain credentials in order to authenticate. And when they click logout they won't be logged in automatically next time. The benefit (compared with the default Sitefinity provider) is that you don't have to take care of the users and their usernames and passwords - they are automatically available when you use LDAP.
The other option is to explain your users what could be the consequences of leaving the computer unattended without locking it and to learn them to log-off from the domain or lock the computer when they walk away. This is valid not only for sites but for any other application that uses the current user identity.
And remember there is always a trade off between convenience and security and the decision is not so easy.
Best Wishes,
DimBo
Telerik
I think I've not expressed myself properly, so let me go through this step by step.
I have an instance of Sitefinity connected to my LDAP.
I also have it connected to the SitefinitySTS that I am using for Claims based logins on the front end.
I then have the SitefinitySTS using ADFS as it's IdP.
So the chain goes Sitefinity -> SitefinitySTS -> ADFS
When a user first logs in, they are able to be bounced to the ADFS, authenticate and then be pushed back up the chain to Sitefinity. When a user goes to log out, the local session is killed, until I click on another screen and then I am re-authenticated, because the signal to kill the ADFS session never made it all the way back to the ADFS server. If I go into ADFS and logout, then click logout on my Sitefinity site, I am really logged out.
Now I have an Endpoint LIstener for ADFS to do a saml style logout. I also have a piece of code in my SitefinitySTS that receives the SignOut link from the front end and passes it through, but something isn't happening right in that spot. That's what I'm trying to repair.
I am hoping I've elaborated this a bit better?
Any additional thoughts?
Hi George,
In order to achieve your needs you can add a custom logic in SitefinitySTS in order to call the ADFS signout.
To do so you can try the following approach:
- Create a custom widget (for example with link button) where on click to
- Call the SecurityManager.Logout();
- Redurect to SitefinitySTS (http://<mysite.com>/Sitefinity/SignOut?sts_signout=true) - Authentication sign out API and add query string parameter that will be handled on the next step
- In the ProcessRequest() method (screenshot) add the logic to handled the above request and based on the additional query string to call the logout to your ADFS
I hope the information above was useful.
Regards,
Svetoslav Manchev
Telerik