堆栈内存溢出
  简体   繁体   English

使用ADFS和STS一次注销

[英]Single Sign Out with ADFS and STS

 原文  2013-06-19 18:26:08       single-sign-on/ wif/ adfs2.0

问题描述

We currently have problems with Single Sign Out with ADFS 2.0 and an external IP-STS. 目前,我们在使用ADFS 2.0和外部IP-STS进行单一注销时遇到问题。 Our setup is that: RP1 <-- trust --> ADFS 2.0 <-- trust --> Custom IP-STS RP2 <-- trust --> ADFS 2.0 <-- trust --> Custom IP-STS 我们的设置是:RP1 <-信任-> ADFS 2.0 <-信任->定制IP-STS RP2 <-信任-> ADFS 2.0 <-信任->定制IP-STS

The Single Sign On part works very well that if users have already logged on using Custom IP-STS to access RP1, thereafter they can access RP2 in the same browser session without having to log on again. 单一登录部分的效果非常好,如果用户已经使用自定义IP-STS登录以访问RP1,则此后他们可以在同一浏览器会话中访问RP2,而无需再次登录。

However problem comes in sign out process. 但是问题出在注销过程中。 When users sign out from RP1, by using Fiddler we can see that: 当用户从RP1注销时,通过使用Fiddler,我们可以看到:

  1. Sign out request (wsignout1.0) is sent to ADFS 注销请求(wsignout1.0)发送到ADFS
  2. ADFS transfers sign out request to Custom IP-STS ADFS将注销请求转移到自定义IP-STS
  3. Custom IP-STS processes sign out action properly, and then returns back to ADFS 自定义IP-STS进程正确注销操作,然后返回到ADFS
  4. ADFS does return back to (signed out) RP1 ADFS确实返回到(已注销)RP1
  5. RP1 is no longer authenticated, so of course is prompted for logging in again (CORRECT) RP1不再经过身份验证,因此当然会提示您再次登录(正确)
  6. HERE IS PROBLEM: RP2 is still able to work without any problem (with previous claim set). 这里有问题: RP2仍然可以正常工作(具有先前的声明)。 And ADFS does not send any wsignoutcleanup1.0 action to RP2. 而且ADFS不会将任何wsignoutcleanup1.0操作发送到RP2。

I assume that ADFS should do sign out for all RPs having the same session, but it doesn't. 我假设ADFS应该为具有相同会话的所有RP登出,但事实并非如此。 Am I wrong? 我错了吗? Or am I missing some kind of configuration here? 还是我在这里缺少某种配置?

Of course we have option to explicitly send wsignoutcleanup1.0 action to RPs from Custom IP-STS, but we need to parse the "wctx" in order to get the original RP Url which I don't want to. 当然,我们可以选择从自定义IP-STS向RP显式发送wsignoutcleanup1.0操作到RP,但是我们需要解析“ wctx”以获得我不想使用的原始RP Url。 I also tried to send wsignoutcleanup1.0 action back to ADFS from Custom IP-STS (step 3), but it didn't help also. 我还尝试将wsignoutcleanup1.0操作从“自定义IP-STS”发送回ADFS(步骤3),但它也无济于事。

2 个解决方案

解决方案1
 1 已采纳  2013-06-19 19:35:34

My guess is that you are not returning iframes with wsignoutcleanup but rather images. 我的猜测是,您不是通过wsignoutcleanup返回iframe,而是返回图像。 Thus, adfs does not return nested iframes, in other words it doesn't escalate signout properly. 因此,adfs不会返回嵌套的 iframe,换句话说,它不会正确升级注销。

A correct sequence is 正确的顺序是

1 application sends the signout request to adfs 1个应用程序将注销请求发送到adfs

2 adfs escalates the request to the external sts 2 adfs将请求升级到外部sts

3 sts returns sequence of iframes pointing to authenticated applications (adfs in this case) with wsignoutcleanup 3 sts使用wsignoutcleanup返回指向经过身份验证的应用程序(在这种情况下为adfs)的iframe序列

4 adfs returns a nested iframe with wsignoutcleanup to all authenticated apps, including rp1 and rp2 4 adfs将带wsignoutcleanup的嵌套iframe返回给所有经过身份验证的应用程序,包括rp1和rp2

解决方案2
 0  2013-06-19 19:28:32

听起来好像自定义STS没有将签出清除发送到ADFS。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ADFS 3.0单一注销与依赖方STS - ADFS 3.0 Single Sign Out with Relying Party STS 使用ADFS单一登录 - Single Sign On using ADFS 没有ADFS的单点登录 - Single sign on without ADFS 使用ADFS单一登录 - Single sign on with ADFS 单一登录Microsoft ADFS - Single Sign On Microsoft ADFS 多次登录和注销后,ADFS 2.0单次注销失败 - ADFS 2.0 single sign out fails after multiple signin and signout PHP应用程序使用ADFS单点登录 - PHP application single sign on with ADFS 使用ADFS实施单点登录 - Implementing Single Sign on using ADFS 如何使用ADFS -SAML集成单一登录 - How to Integrate Single Sign on using ADFS -SAML 如何将单点登录与多个 ADFS 集成? - How to integrate Single Sign-On with multiple ADFS?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM