+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Signout not killing SF Session

Signout not killing SF Session

7 posts, 0 answered
  1. George
    George avatar
    17 posts
    Registered:
    16 Jan 2014
    04 Dec 2014
    Link to this post

    So I've got a site integrated with ADFS, and it's working great for sign in.  I can't figure out what to do with the signout URL.    My link is set to http://mysite/Sitefinity/SignOut?sts_signout=true and I've tried several different endpoints in the ADFS Relying Party configuration, nothing seems to be working.  Any thoughts on what I can do to implement a true signout?

    Thanks,
    George

  2. Dimitar
    Dimitar avatar
    19 posts
    Registered:
    17 Nov 2016
    05 Dec 2014
    Link to this post
    Hi George,

    Actually the ADFS integration using Windows authentication in Sitefinity is interesting thing. It works seamlessly for login because the authentication happens "behind the scenes" in several requests between the browser and the server without user interaction. So what happens when you click the logout button (calling the SignOut) - you have been signed out. For example if you have user information displayed somewhere on the page - it will show - Anonymous. But if you have a resource on the page which requires authentication you will again be logged in because of the automatic requests that happen behind the scenes.

    So if that's not ok for you - what do you expect? What is the desired behavior of the "true signout"?

    Regards,
    DimBo
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  3. George
    George avatar
    17 posts
    Registered:
    16 Jan 2014
    17 Dec 2014 in reply to Dimitar
    Link to this post

    Hi DimBo,

     I want the users to no longer be able to access my restricted resources in the site.  That's the ultimate goal when they click logout, so that they can walk away and trust that no one is going to get into their items.

     George

  4. Dimitar
    Dimitar avatar
    19 posts
    Registered:
    17 Nov 2016
    22 Dec 2014
    Link to this post
    Hi George,

    I understand your concerns. But as long as you use ADFS integration with Windows Authentication within your site (no matter if it is Sitefinity or some other) when it asks for authentication the ADFS will "tell" the application who the user is (automatically).

    So in order to prevent the automatic login you could configure only the LDAP provider in Sitefinity (without Windows Authentication). This way the users will be asked for their domain credentials in order to authenticate. And when they click logout they won't be logged in automatically next time. The benefit (compared with the default Sitefinity provider) is that you don't have to take care of the users and their usernames and passwords - they are automatically available when you use LDAP.

    The other option is to explain your users what could be the consequences of leaving the computer unattended without locking it and to learn them to log-off from the domain or lock the computer when they walk away. This is valid not only for sites but for any other application that uses the current user identity.

    And remember there is always a trade off between convenience and security and the decision is not so easy.

    Best Wishes,
    DimBo
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  5. George
    George avatar
    17 posts
    Registered:
    16 Jan 2014
    23 Dec 2014 in reply to Dimitar
    Link to this post

    I think I've not expressed myself properly, so let me go through this step by step.

     

    I have an instance of Sitefinity connected to my LDAP.

    I also have it connected to the SitefinitySTS that I am using for Claims based logins on the front end.

    I then have the SitefinitySTS using ADFS as it's IdP.

     So the chain goes Sitefinity -> SitefinitySTS -> ADFS

    When a user first logs in, they are able to be bounced to the ADFS, authenticate and then be pushed back up the chain to Sitefinity.  When a user goes to log out, the local session is killed, until I click on another screen and then I am re-authenticated, because the signal to kill the ADFS session never made it all the way back to the ADFS server.  If I go into ADFS and logout, then click logout on my Sitefinity site, I am really logged out.

     Now I have an Endpoint LIstener for ADFS to do a saml style logout.  I also have a piece of code in my SitefinitySTS that receives the SignOut link from the front end and passes it through, but something isn't happening right in that spot.  That's what I'm trying to repair.

     I am hoping I've elaborated this a bit better?

  6. George
    George avatar
    17 posts
    Registered:
    16 Jan 2014
    08 Jan 2015 in reply to George
    Link to this post
    Any additional thoughts?
  7. Svetoslav Manchev
    Svetoslav Manchev avatar
    735 posts
    Registered:
    07 Dec 2016
    13 Jan 2015
    Link to this post
    Hi George,

    In order to achieve your needs you can add a custom logic in SitefinitySTS in order to call the ADFS signout.

    To do so you can try the following approach:
    - Create a custom widget (for example with link button) where on click to 
    - Call the SecurityManager.Logout();
    - Redurect to SitefinitySTS (http://<mysite.com>/Sitefinity/SignOut?sts_signout=true) - Authentication sign out API and add query string parameter that will be handled on the next step
    - In the ProcessRequest() method (screenshot)  add the logic to handled the above request and based on the additional query string to call the logout to your ADFS

    I hope the information above was useful.

    Regards,
    Svetoslav Manchev
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
7 posts, 0 answered