I am using IdentityServer4 to provide SSO and SLO to several web apps. The user may sign in to the identity server through an external OIDC provider such as Azure AD. The external provider, identity server, and web apps are all configured to use persistent sessions that last for weeks or months at a time.
This setup works fine and the user can sign in as expected. The issue is I have a requirement for all sessions to stay in sync, so when the external provider session expires, the expiration propagates to my identity server and then to my web apps.
This requirement is to ensure that none of the sessions further down the chain outlive their provider's session which would break SLO functionality. For example if my identity server session outlives the Azure AD session it depends on, the user can sign into Azure AD again, but will not be able to SLO from my identity server and web apps through Azure AD since the Azure AD session has changed, and my identity server depends on the now-expired Azure AD session.
I am able to enforce this requirement between my identity server and web apps using a check_session iframe and passive authentication requests with prompt=none. But I cannot figure out how to enforce a similar type of requirement between an external provider and my identity server in a way that will both end my identity server session and notify my web apps.
How can I keep my identity server session in sync with an external identity provider? If this is not possible, what is a correct approach to ensuring SSO and SLO sessions do not get out of sync between the external provider, identity server, and web apps?
The solution for this is federated signout
Federated sign-out is the situation where a user has used an external identity provider to log into IdentityServer, and then the user logs out of that external identity provider via a workflow unknown to IdentityServer. When the user signs out, it will be useful for IdentityServer to be notified so that it can sign the user out of IdentityServer and all of the applications that use IdentityServer.
To implement you need to set RemoteSignOutPath when adding AzureAD as external IDP.
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
options.ClientId = "<Your Application (client) ID>";
options.Authority = "https://login.windows.net/<Directory (tenant) ID>";
options.CallbackPath = "/signin-aad";
options.SignedOutCallbackPath = "/signout-callback-aad";
options.RemoteSignOutPath = "/signout-aad";
});
here is a nice blog explaining it with IdentityServer4 (reference blogs on the bottom are very useful too)
Related
Most IDAM servers (Identity Server 4, Gluu, Cloud services) provide a way to host a login UI on the actually identity server. This login page can be customized so that it can be branded like your website. This works well for security flows so when you reach an authorization end-point you are redirected to your identityserver/login page.
But can you host the login page on the client application instead?
And if so:
Is this advisable?
Is this more/less secure than hosting the login UI on the Identity Server?
Would this break security flow standards like OIDC / Auth 2.0 authorization code flow?
Would this simply call an API to authenticate against? e.g. one that is hosted on the identity
server. Some appear to support this, but this seems a bit old / insecure compared to existing security flows.
Thanks.
Not really: the point of (federated) Single Sign On (SSO) is that one can use a single credential to login across different domains without divulging that credential to every domain/application.
Users use those credentials in one place against one server only to a trusted party aka. the Identity Provider. The Identity Provider then creates a derived token that is consumed by the 3rd-party application because the latter trusts the former to do so.
In case all applications belong to the same domain as the Identity Provider, the argument above no longer holds, but not using SSO would still mean that you'd have to login to each application separately, one by one.
I have a webforms app running on .net 4.7.2, currently being hosted on Azure as a SaaS. It is a single software for multiple clients, each one with its own database.
Currently the user authentication is manually handled by us, but we are trying to implement a multi tenant strategy, using the AzureAD and OWIN tools.
The app service has an Identity Provider configured, from a test AAD. We can login with the provided credentials, but I can only configure a single microsoft identity provider.
I'm not sure where to go from here... After hours reading the multiple docs from microsoft, i'm still stuck.
By default, web app/API registrations in Azure AD are single tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. So that people from other azure ad tenants will login.
multi-tenant SaaS web application sample
If in case if you want to use other identity providers, You can federate with IdPs that use the SAML protocol. SAML/WS-Fed IdP federation allows external users to redeem invitations from you by signing into your apps with their existing social or enterprise accounts. Federation with SAML/WS-Fed identity providers
And we have azure ADB2C, Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Reference Docs:
Sign in any Azure Active Directory user using the multi-tenant application pattern
Azure Active Directory B2C
I have an Asp.Net Core IdentityServer4 instance securing an API that is fronted by a Vue.js SPA (using oidc-client). The IS4 server is setup to manage "local" account itself for my companies users, but we also have an external OIDC provider setup for a trusted partner that allows their users to access our site using their single sign-on server (OIDC identity server). The partner's portal has a link to our app, so if they are already authenticated by their own OIDC server, then no additional login prompt is displayed.
Overall, this process works. I can login "locally" (an account that is only on our identity server), or use the external OIDC provider that authenticates the user and goes through the auto-provisioning on our local IS4 server. The Vue app has its tokens and silent refresh is enabled, which keeps the user's credentials updated against our IS4 server.
However, if a user from our partner comes to our app, spends some time there, and then returns to their own portal via a link on our site, it's likely that their access will have timed out and they see their own SSO login again. This is because the silent refresh on our site is only refreshing our local IdentityServer4 credentials.
Is it possible to somehow maintain BOTH "sessions" while the partner user is on our site? Silently refreshing both our IS4 token and their OIDC SSO credentials?
I have a setup consisting of my relying party app -> thinktecture identity server -> azure ad b2c. This is working as expected for login and signup using a signin or signup policy. The issue I am running into is that the password reset link on azure b2c page is sending back to my thinktecture identity server, instead of to azure b2c where it should go? Has any one encountered this and found a solution? I am also unable to submit a profile edit policy request to azure b2c through thinktecture identity server. My thinktecture identity server instance, just sees that the user is logged in and returns them directly back to my relying party.
So my questions are this...
How do I get the password reset functionality working correctly fron azure b2c?
How can I handle profile edit requests from my relying party and pass it in appropriately in thinktecture identity server?
It was suggested that I use ACR_values, but I don't see how that is going to help any. Any suggestions/ideas would be helpful as I seem to have run up against a brick wall here.
We intend to support multiple identity providers (Google, Facebook, Yahoo, LDAP, ADFS) for user authentication using WSO2 Identity Server. We have a requirement that Service Provider (SP) know which identity provider was chosen by user for authentication. SP and WSO2 IS use SAML.
Is it possible to have some parameter (configured per identity provider) to be returned by WSO2 to SP (either as claims or query parameter) on successful authentication or every time WSO2 IS redirects user to SP Assertion Consumer URLs?
You can set it in the Service Provider -> Local & Outbound Authentication Configuration. Select option "Always send back the authenticated list of identity providers".
Local & Outbound Authentication Configuration