无法使用Sustainsys的Saml2登出 [英] Not able to SignOut using Saml2 from Sustainsys

问题描述

这应该将我的应用重定向到我的AdFs注销页面，然后将我重定向回到我的应用.但是，它只是将我重定向到我的路线"/注销".看着我的ADFS服务器上的日志，什么都没发生.

This should be redirecting my app to my AdFs signOut Page, and then redirect me back to my app. However, it simply redirects me to my route "/logout". Watching the log on my ADFS server nothing happens.

        [AllowAnonymous]
        [HttpGet]
        [Route("api/logout")]
        public async Task<IActionResult> Logout()
        {
            return SignOut(new AuthenticationProperties()
            {
                RedirectUri = "/logout"
            },
            Saml2Defaults.Scheme);
        }

登录正常.我什至尝试了相同的方法，但是没有用.在这里，ReturnUrl方法从HttpContext.Response.Header获取位置.当我尝试注销时，该位置始终为空.

SignIn works fine. I even tried this same approach, but does not work. Here, the ReturnUrl method gets the location from HttpContext.Response.Header. When I try this for the logout, the location is always null.

        [AllowAnonymous]
        [HttpGet]
        [Route("api/login")]
        public async Task<string> LoginAdfs()
        {

            string redirectUri =  _appSettings.Saml.SpEntityId;

            await HttpContext.ChallengeAsync(new AuthenticationProperties
            {
                RedirectUri = string.Concat(redirectUri, "/autenticado")
            });
            return ReturnUrl();
        }

有什么想法吗?

更新21/11/2019

UPDATE 21/11/2019

结果证明Saml2Handler只是不尝试将请求发送到服务器.我在输出窗口中收到这些消息:

Turns out the Saml2Handler is simply not trying to send the request to the server. I'm getting these messages on my output window:

Sustainsys.Saml2.AspNetCore2.Saml2Handler: Debug: Initiating logout, checking requirements for federated logout
  Issuer of LogoutNameIdentifier claim (should be Idp entity id): 
  Issuer is a known Idp: False
  Session index claim (should have a value): 
  Idp has SingleLogoutServiceUrl: 
  There is a signingCertificate in SPOptions: True
  Idp configured to DisableOutboundLogoutRequests (should be false): 
Sustainsys.Saml2.AspNetCore2.Saml2Handler: Information: Federated logout not possible, redirecting to post-logout

这是我的启动配置，在这里我没有发现错误所在:

Here is my StartUp Configuration, I don't get what is wrong here:

            ServiceCertificate se = new ServiceCertificate()
            {
                Certificate = new X509Certificate2(SpCert, "",X509KeyStorageFlags.MachineKeySet),
                Use = CertificateUse.Signing
            };

            SPOptions sp = new SPOptions
            {
                AuthenticateRequestSigningBehavior = SigningBehavior.Never,
                EntityId = new EntityId(SpEntityId),
                ReturnUrl = new Uri("/login"),
                NameIdPolicy = new Sustainsys.Saml2.Saml2P.Saml2NameIdPolicy(null, Sustainsys.Saml2.Saml2P.NameIdFormat.Unspecified),

            };
            sp.ServiceCertificates.Add(se);

            IdentityProvider idp = new IdentityProvider(new EntityId(appSettings.Saml.EntityId), sp);
            idp.Binding = Saml2BindingType.HttpPost;
            idp.AllowUnsolicitedAuthnResponse = true;
            //idp.WantAuthnRequestsSigned = true;
            idp.SingleSignOnServiceUrl = new Uri("/login");
            //idp.LoadMetadata = true;
            idp.SigningKeys.AddConfiguredKey(new X509Certificate2(IdpCert));
            idp.MetadataLocation = theMetadata;
            idp.DisableOutboundLogoutRequests = true;

推荐答案

为使注销正常工作，有两个特殊声明"LogoutNameIdentifier"和"SessionIndex"(全名是 http://Sustainsys.se/Saml2/LogoutNameIdentifier 和 http://Sustainsys.se/Saml2/SessionIndex 必须存在于用户上，其中包含有关Saml2库需要执行的当前会话的信息.注销.

For the logout to work, two special claims "LogoutNameIdentifier" and "SessionIndex" (full names are http://Sustainsys.se/Saml2/LogoutNameIdentifier and http://Sustainsys.se/Saml2/SessionIndex need to be present on the user. Those carries information about the current session that the Saml2 library needs to be able to do a logout.

现在我看不到您的整个Startup，因此我无法理解您的应用程序的流程.但是这些声明应该出现在库返回的身份中-可能存储在外部cookie中(如果您使用的是asp.net身份).然后，当您的应用程序设置应用程序cookie时，这两个声明必须保留到会话标识中.

Now I don't see your entire Startup, so I cannot understand your application's flow. But those claims should be present in the identity returned by the library - possibly stored in an External cookie (if you are using asp.net identity). When your application then sets the application cookie those two claims must be carried over to the session identity.

您实际上还使用 DisableOutboundLogoutRequests 禁用了出站注销.但这不是主要问题，因为您的日志表明不存在必需的声明.

Also you have actually disabled outbound logout with DisableOutboundLogoutRequests. But that's not the main problem here as your logs indicates that the required claims are not present.

这篇关于无法使用Sustainsys的Saml2登出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！