ComponentSpace

Forums



How to keep signin status?


How to keep signin status?

Author
Message
lenoray
lenoray
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 8
Hello, i am a newer to saml2. Sorry for my poor english.

I have three project,  idp,  sp1, sp2.

When I start from sp1, it redirect to idp and login, then turn back, but when i redirect to sp2 or idp, it didnt autosignin and still require account and password at idp.

Whatever sp1, sp2 signined, when i goto other sites, it need sign in again.

How to solve this problum? 

Thanks.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Is this all within the same browser session?
If you start at sp1 and successfully SSO, if you go back to the idp are you still logged in at the idp?
Typically the idp will maintain the authentication session through a cookie.
You might have to take a look in the browser dev tools to see that the cookie is being set and sent to the idp.



Regards
ComponentSpace Development
lenoray
lenoray
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 8
ComponentSpace - 2/22/2018
Is this all within the same browser session?
If you start at sp1 and successfully SSO, if you go back to the idp are you still logged in at the idp?
Typically the idp will maintain the authentication session through a cookie.
You might have to take a look in the browser dev tools to see that the cookie is being set and sent to the idp.


hi, i try many times. in same brower session. i build a page with 3 links and 1 iframe.

if i click idp, need login and logined, i click sp1 or sp2, it can be sso, but then i click idp or another sp, it need login again.

if i click sp1 or sp2, it will go to idp to login and turn back, but then i click idp or another sp, it need login again.

it seems i can only login in one site, and logout other sites automatically?



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I think the issue here is that something is not quite right with the idp login.
If you click sp1, SSO to the idp (ie login at idp and return to sp1 where you're logged in automatically), and then browse back to the idp you should still be logged in at the idp.
From what you said, you're already logged out of the idp.
Any subsequent SSO attempt will require another login at the idp.
Is the SSO handling at the idp somehow logging out the user locally at the idp?

Regards
ComponentSpace Development
lenoray
lenoray
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 8
ComponentSpace - 2/22/2018
I think the issue here is that something is not quite right with the idp login.
If you click sp1, SSO to the idp (ie login at idp and return to sp1 where you're logged in automatically), and then browse back to the idp you should still be logged in at the idp.
From what you said, you're already logged out of the idp.
Any subsequent SSO attempt will require another login at the idp.
Is the SSO handling at the idp somehow logging out the user locally at the idp?

i use most of the example. just use HttpContext.SignInAsync instead of signinmanager.
here is my login page

public class LoginModel : PageModel
    {
        private readonly ILogger<LoginModel> _logger;
        public LoginModel(ILogger<LoginModel> logger)
        {
            _logger = logger;
        }
        [BindProperty]
        public InputModel Input { get; set; }
        public string ReturnUrl { get; set; }
        [TempData]
        public string ErrorMessage { get; set; }
        public class InputModel
        {
            [Required]
            [DataType(DataType.Text)]
            public string Email { get; set; }
            [Required]
            [DataType(DataType.Password)]
            public string Password { get; set; }
        }
        //public async Task OnGetAsync(string returnUrl = null)
        //{
        //    if (!string.IsNullOrEmpty(ErrorMessage))
        //    {
        //        ModelState.AddModelError(string.Empty, ErrorMessage);
        //    }
        //    // Clear the existing external cookie
        //    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
        //    ReturnUrl = returnUrl;
        //}
        public async Task<IActionResult> OnPostAsync(string returnUrl = null)
        {
            ReturnUrl = returnUrl;
            if (ModelState.IsValid)
            {
                // Use Input.Email and Input.Password to authenticate the user
                // with your custom authentication logic.
                //
                // For demonstration purposes, the sample validates the user
                // on the email address [email protected] with
                // any password that passes model validation.
                var user = await AuthenticateUser(Input.Email, Input.Password);
                if (user == null)
                {
                    ModelState.AddModelError(string.Empty, "Invalid login attempt.");
                    return Page();
                }
                var claims = new List<Claim>
                {
                    new Claim(ClaimTypes.Name, user.Email),
                    new Claim("FullName", user.FullName)
                };
                var claimsIdentity = new ClaimsIdentity(
                    claims, CookieAuthenticationDefaults.AuthenticationScheme);
                var authProperties = new AuthenticationProperties
                {
                    //AllowRefresh = <bool>,
                    // Refreshing the authentication session should be allowed.
                    ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(10),
                    // The time at which the authentication ticket expires. A
                    // value set here overrides the ExpireTimeSpan option of
                    // CookieAuthenticationOptions set with AddCookie.
                    IsPersistent = false,
                    // Whether the authentication session is persisted across
                    // multiple requests. Required when setting the
                    // ExpireTimeSpan option of CookieAuthenticationOptions
                    // set with AddCookie. Also required when setting
                    // ExpiresUtc.
                    //IssuedUtc = <DateTimeOffset>,
                    // The time at which the authentication ticket was issued.
                    //RedirectUri = <string>
                    // The full path or absolute URI to be used as an http
                    // redirect response value.
                };
                await HttpContext.SignInAsync(
                    CookieAuthenticationDefaults.AuthenticationScheme,
                    new ClaimsPrincipal(claimsIdentity), authProperties);
                _logger.LogInformation($"User {user.Email} logged in at {DateTime.UtcNow}.");
                return LocalRedirect(Url.GetLocalUrl(returnUrl));
            }
            // Something failed. Redisplay the form.
            return Page();
        }
        private async Task<ApplicationUser> AuthenticateUser(string accountname, string password)
        {
            // For demonstration purposes, authenticate a user
            // with a static email address. Ignore the password.
            // Assume that checking the database takes 500ms
            await Task.Delay(500);
            if (accountname == "leno" && password == "1")
            {
                return new ApplicationUser()
                {
                    Email = "leno",
                    FullName = "lenoray"
                };
            }
            else
            {
                return null;
            }
        }

here is my samlcontroller.

public class SamlController : Controller
    {
        private readonly ISamlIdentityProvider _samlIdentityProvider;
        //private readonly SignInManager<SSOAccount> _signInManager;
        public SamlController(ISamlIdentityProvider samlIdentityProvider)
        {
            _samlIdentityProvider = samlIdentityProvider;
            //_signInManager = signInManager;
        }
        public async Task<ActionResult> SingleSignOnService()
        {
            // Receive the authn request from the service provider (SP-initiated SSO).
            await _samlIdentityProvider.ReceiveSsoAsync();
            // If the user isn't logged in at the identity provider,
            // have the user login before completing SSO.
            return RedirectToAction("SingleSignOnServiceCompletion");
        }
        [Authorize]
        public async Task<ActionResult> SingleSignOnServiceCompletion()
        {
            // Get the name of the logged in user.
            var userName = User.Identity.Name;
            // For demonstration purposes, include some claims.
            var attributes = new List<SamlAttribute>()
            {
                //new SamlAttribute(ClaimTypes.GivenName, ((ClaimsIdentity)User.Identity).FindFirst(ClaimTypes.GivenName).Value),
                //new SamlAttribute(ClaimTypes.Surname, ((ClaimsIdentity)User.Identity).FindFirst(ClaimTypes.Surname).Value)
            };
            // The user is logged in at the identity provider.
            // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP.
            await _samlIdentityProvider.SendSsoAsync(userName, attributes);
            return new EmptyResult();
        }
        public async Task<ActionResult> SingleLogoutService()
        {
            // Receive the single logout request or response.
            // If a request is received then single logout is being initiated by a partner service provider.
            // If a response is received then this is in response to single logout having been initiated by the identity provider.
            var sloResult = await _samlIdentityProvider.ReceiveSloAsync();
            if (sloResult.IsResponse)
            {
                if (sloResult.HasCompleted)
                {
                    // IdP-initiated SLO has completed.
                    return RedirectToPage("/Index");
                }
            }
            else
            {
                // Logout locally.
                //await _signInManager.SignOutAsync();
                await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
                // Respond to the SP-initiated SLO request indicating successful logout.
                await _samlIdentityProvider.SendSloAsync();
            }
            return new EmptyResult();
        }
    }


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I don't think the issue is related to your SAML controller.
I suggest using the browser development tools to check whether an authentication cookie is being set when you login at the IdP.
What happens if you browse to the IdP, login and then browse to the IdP again? Does it prompt you to login again?



Regards
ComponentSpace Development
lenoray
lenoray
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 8
ComponentSpace - 2/22/2018
I don't think the issue is related to your SAML controller.
I suggest using the browser development tools to check whether an authentication cookie is being set when you login at the IdP.
What happens if you browse to the IdP, login and then browse to the IdP again? Does it prompt you to login again?


if i browse idp, logined and retype the idp, it remain logined.

1.type my idp http://localhost:54762/Contact,reqire login

 

2. after login, the cookies exists

 

3. retype the address, ok, the cookiesexists

4. goto the sp address http://localhost:52156/Contact, sso successful,cookies exists.


5. goto idp http://localhost:54762/Contact,cookies exist,but need login.



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Have you tried using unique authentication cookie names for each of your applications?


services.ConfigureApplicationCookie(options =>
{
  options.Cookie.Name = "put your unique cookie name here";
});




Regards
ComponentSpace Development
lenoray
lenoray
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 8
ComponentSpace - 2/22/2018
Have you tried using unique authentication cookie names for each of your applications?


services.ConfigureApplicationCookie(options =>
{
  options.Cookie.Name = "put your unique cookie name here";
});



SP

public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc()
                .AddRazorPagesOptions(options =>
                {
                    options.Conventions.AuthorizeFolder("/");
                });
            #region snippet1
            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>
                {
                    options.LoginPath = "/SSO/SingleSignOn";
                    options.LogoutPath = "/SSO/Logout";
                }
            );
            #endregion
            services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.Name = "ExampleServiceProvider.Identity";
            });
            services.Configure<SamlConfigurations>(config => ConfigureSaml(config));
            services.AddSaml();
        }
IDP

public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc()
                .AddRazorPagesOptions(options =>
                {
                    options.Conventions.AuthorizePage("/Contact");
                });
            #region snippet1
            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddCookie();
            #endregion
            services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.Name = "ExampleIdentityProvider.Identity";
            });

            services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
            services.Configure<SamlConfigurations>(config => ConfigureSaml(config));
            services.AddSaml();
        }


:crying:

lenoray
lenoray
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 8
ComponentSpace - 2/22/2018
Have you tried using unique authentication cookie names for each of your applications?


services.ConfigureApplicationCookie(options =>
{
  options.Cookie.Name = "put your unique cookie name here";
});



YES, only two site now, each has unique cookie name.

GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search