Logging out of the manager part using ADFS

Vote:
 

I have implemented ADFS login in both CMS and manager startup.cs method (this is shortened for simplicity)

public void Configuration(IAppBuilder app)
        {
            using (var applicationOptions = new ApplicationOptions
            {
                ConnectionStringName = _connectionStringHandler.Commerce.Name
            })
            {
                app.AddCmsAspNetIdentity(applicationOptions);
            }


            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            
            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                // client specific code here
                 ........

            app.UseStageMarker(PipelineStage.Authenticate);


            app.Map(url, map => map.Run(ctx =>
            {
                if (ctx.Authentication.User?.Identity == null || !ctx.Authentication.User.Identity.IsAuthenticated)
                {
                    ctx.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
                    return Task.Delay(0);
                }

                var redirectTo = new Uri(postLoginRedirectUri).AbsoluteUri;

                return Task.Run(() => ctx.Response.Redirect(redirectTo));
            }));

            app.Map(logoutUrl, map =>
            {
                map.Run(ctx =>
                {
                    ctx.Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);

                    return Task.Run(() => ctx.Response.Redirect(new Uri(postLogoutRedirectUri).AbsoluteUri));
                });
            });

            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;



        }



Logging into CMS part ensures that user is logged into manager part as well.

Logging out from the manager part using the top left Sign out link results in error with the following message:

"OpenIdConnectMessage.Error was not null, indicating an error. Error: 'server_error'. Error_Description (may be empty): 'MSIS9604%3a+An+error+occurred.+The+authorization+server+was+not+able+to+fulfill+the+request.'. Error_Uri (may be empty): ''."

I have put /Apps/Shell/Pages/Logout.aspx as logout endpoint but I see now that it is just a resulting page after logging out. Sign out link has # as a value for href attribute.

I couldn't figure out what URL should be provided to the IT team that is responsible for setting up the ADFS to function properly. 

#189200
Mar 13, 2018 13:33
Vote:
 

Anyone? I am guessing that logging out of a manager part is done in js. Is that correct? If so what URL is the one that handles the actual logging out?

#189283
Mar 14, 2018 14:28
Vote:
 

Not sure if I'm of any help here but if you visit <cm-root-location>/Apps/Shell/Pages/logout.aspx you get logged out of your session.

When you click the logout link from inside CM there is some javascript that redirects you to that page. The codebehind file for logout.aspx does 

FormsAuthentication.SignOut();

If you want to investigate further the .xml-file that configures the logout button can be found under "~/Apps/Shell/Config/View/TopMenu.xml". There you'll see the <button>-tag for id="SignOutBtn" that is configured to run the command "ECF_Top_SignOut".

ECF_Top_SignOut is specified in the same file and is configured with a <ClientScript>-tag that does "CSManagementClient.OpenInternal('~/logout.aspx')".

#189369
Mar 16, 2018 13:04
Vote:
 

There are acctually two approaches to achieve this if not even more.

First one is to add this piece of code to the Startup.cs 

app.Map(logoutUrl, map =>
            {
                map.Run(ctx =>
                {
                    ctx.Authentication.SignOut();
                    ctx.Authentication.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
                    return Task.FromResult(0);
                });
            });

Note: line after Signing out actually did a trick for me.

Second one is that IT department responsible for actually setting up ADFS has to run the powershell script to handle Logout URL used for both CMS or Commerce part. In this way ADFS would be responsible to strip the user of all the claims. This is a better way of solving this in my oppinion. 

#190176
Apr 04, 2018 9:40
Vote:
 

Here is some info on ADFS and how to do a OIDC logout, it should be just a matter of adding a hint-parameter when redirecting to the IDP and then listen on the logout endpoints in each connected application.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-fs/development/ad-fs-logout-openid-connect.md

But then again the issue here was that Epi has buried some calls inside JS? It can also be a bit confusing that the OWIN layer intercepts and might return a status that in the JS might not be ready for. That should be easy to emulate though.

#190324
Apr 09, 2018 14:39
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.