Signout not killing SF Session

Posted by Community Admin on 04-Aug-2018 02:54

Signout not killing SF Session

All Replies

Posted by Community Admin on 04-Dec-2014 00:00

So I've got a site integrated with ADFS, and it's working great for sign in.  I can't figure out what to do with the signout URL.    My link is set to mysite/.../SignOut and I've tried several different endpoints in the ADFS Relying Party configuration, nothing seems to be working.  Any thoughts on what I can do to implement a true signout?

Thanks,
George

Posted by Community Admin on 05-Dec-2014 00:00
Hi George,

Actually the ADFS integration using Windows authentication in Sitefinity is interesting thing. It works seamlessly for login because the authentication happens "behind the scenes" in several requests between the browser and the server without user interaction. So what happens when you click the logout button (calling the SignOut) - you have been signed out. For example if you have user information displayed somewhere on the page - it will show - Anonymous. But if you have a resource on the page which requires authentication you will again be logged in because of the automatic requests that happen behind the scenes.

So if that's not ok for you - what do you expect? What is the desired behavior of the "true signout"?

Regards,
DimBo
Telerik
 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 
Posted by Community Admin on 17-Dec-2014 00:00

Hi DimBo,

 I want the users to no longer be able to access my restricted resources in the site.  That's the ultimate goal when they click logout, so that they can walk away and trust that no one is going to get into their items.

 George

Posted by Community Admin on 22-Dec-2014 00:00
Hi George,

I understand your concerns. But as long as you use ADFS integration with Windows Authentication within your site (no matter if it is Sitefinity or some other) when it asks for authentication the ADFS will "tell" the application who the user is (automatically).

So in order to prevent the automatic login you could configure only the LDAP provider in Sitefinity (without Windows Authentication). This way the users will be asked for their domain credentials in order to authenticate. And when they click logout they won't be logged in automatically next time. The benefit (compared with the default Sitefinity provider) is that you don't have to take care of the users and their usernames and passwords - they are automatically available when you use LDAP.

The other option is to explain your users what could be the consequences of leaving the computer unattended without locking it and to learn them to log-off from the domain or lock the computer when they walk away. This is valid not only for sites but for any other application that uses the current user identity.

And remember there is always a trade off between convenience and security and the decision is not so easy.

Best Wishes,
DimBo
Telerik
 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 
Posted by Community Admin on 23-Dec-2014 00:00

I think I've not expressed myself properly, so let me go through this step by step.

 

I have an instance of Sitefinity connected to my LDAP.

I also have it connected to the SitefinitySTS that I am using for Claims based logins on the front end.

I then have the SitefinitySTS using ADFS as it's IdP.

 So the chain goes Sitefinity -> SitefinitySTS -> ADFS

When a user first logs in, they are able to be bounced to the ADFS, authenticate and then be pushed back up the chain to Sitefinity.  When a user goes to log out, the local session is killed, until I click on another screen and then I am re-authenticated, because the signal to kill the ADFS session never made it all the way back to the ADFS server.  If I go into ADFS and logout, then click logout on my Sitefinity site, I am really logged out.

 Now I have an Endpoint LIstener for ADFS to do a saml style logout.  I also have a piece of code in my SitefinitySTS that receives the SignOut link from the front end and passes it through, but something isn't happening right in that spot.  That's what I'm trying to repair.

 I am hoping I've elaborated this a bit better?

Posted by Community Admin on 08-Jan-2015 00:00
Any additional thoughts?
Posted by Community Admin on 13-Jan-2015 00:00
Hi George,

In order to achieve your needs you can add a custom logic in SitefinitySTS in order to call the ADFS signout.

To do so you can try the following approach:
- Create a custom widget (for example with link button) where on click to 
- Call the SecurityManager.Logout();
- Redurect to SitefinitySTS (http://<mysite.com>/Sitefinity/SignOut?sts_signout=true) - Authentication sign out API and add query string parameter that will be handled on the next step
- In the ProcessRequest() method (screenshot)  add the logic to handled the above request and based on the additional query string to call the logout to your ADFS

I hope the information above was useful.

Regards,
Svetoslav Manchev
Telerik
 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 
This thread is closed