SAML注销请求未将Cookie发送到IdP [英] SAML logout request is not sending cookies to IdP
问题描述
我们正在尝试实现从服务提供商/依赖方到IdP的SAML注销(在本例中为AD FS 3.0).我们的注销不会使AD FS中的会话无效.由于某些原因,我们已经缩小了在HTTPS请求中未发送ADFS身份验证cookie的范围,尽管我们不知道为什么.这是针对SAML流使用HTTPS重定向.
We are trying to implement SAML logout from a Service Provider/Relying Party to an IdP (in this case, AD FS 3.0). Our logout is not invalidating the session in AD FS. We have narrowed down that the ADFS auth cookies are not being sent in the HTTPS request for some reason, though we have no idea why. This is using HTTPS redirects for the SAML flow.
我们试图使请求标头与随后的登录请求相同,从而成功发送了cookie,但无济于事.
We have tried to get the request headers the same as the subsequent logon requests which successfully send the cookies, but to no avail.
我有一个Fiddler跟踪,捕获了多次注销尝试(以及两次注销之间的自动登录).这是在一个带有虚拟数据的隔离实验室网络中.
I have a Fiddler trace that captured multiple logout attempts (and the automatic logins in between). This is in an isolated lab network with dummy data.
有什么想法我们可以尝试在注销请求时将那些cookie发送到AD FS服务器吗?
Any ideas what we could try to get those cookies sent to the AD FS server on the logout request?
推荐答案
同事发现,答案是重定向请求是XHR请求,因为它是从JavaScript启动的,而不是正常"的浏览器重定向.如果目标服务器允许请求者访问,则仅允许将Cookie包含在跨域XHR请求中.因此,修复程序涉及终止XHR请求上的重定向链,并执行正常的浏览器重定向.这样,浏览器就可以将Cookie以及重定向请求发送到新站点.
The answer, as found by a colleague, was that the redirect request was an XHR request since it started in JavaScript and was not a ‘normal’ browser redirect. Cookies are only allowed to be included on cross-domain XHR requests if the destination server allows the requester access. So, the fix involved terminating the chain of redirects on the XHR request and doing a normal browser redirect. This allowed the browser to send cookies along with the redirect request to the new site.
这篇关于SAML注销请求未将Cookie发送到IdP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
