Support Reply URL on sign out about identityserver3.wsfederation HOT 11 CLOSED

It is not as easy as that. We also need to make sure the reply URL is legit. But I will open this as a todo.

from identityserver3.wsfederation.

I posted a similar issue into IdentityServer3 repo, which was obviously a wrong place for WS-Federation issues so I'll continue discussion here.

Any idea when this feature will be published?

from identityserver3.wsfederation.

Did you begin to code the solution for this issue? If not, I think if you implement a property in RelyingParty defining a pattern that match de wreply parameter would be a good idea. This is how JASIG CAS implements the OAtuh2 serviceId string. And then after the signout, you just redirect to the wreply url if it matches the reply url pattern.

from identityserver3.wsfederation.

I haven't started on it - and i have no ETA

from identityserver3.wsfederation.

Hi, i would really love this to be supported.

Right now we are having a market based client in IdentityServer3 (IDS3), with some markets supporting login. we are using IDS3 to give us open id connect support together with a relaying party (ADFS 2.0). Right now I'm looking into adding a map to the app builder used by identity server like this...

private void ConfigureWsFedRedirectEndpoint(IAppBuilder appBuilder)
    {
        appBuilder.Map(new PathString("/wsfedredirect"), (application) => application.Run((ctx) =>
        {
            var uri = new Uri("CLIENTBASEURI", UriKind.Absolute);
            if (!string.IsNullOrEmpty(ctx.Request.Query.Get("market")))
            {
                uri = new Uri(uri, new Uri(string.Format("/{0}",ctx.Request.Query.Get("market")), UriKind.Relative));
            }
            ctx.Response.StatusCode = 301;
            ctx.Response.Headers.Set("Location", uri.ToString());
            return ctx.Response.WriteAsync("redirecting to client");
        }));
    }

And im using ADFS as an identity provider to IDS3 and setting the signoutwreply to "wsfedredirect and extracting the market using the notifications.

 private WsFederationAuthenticationNotifications GetAdfsAuthenticationNotifications()
    {
        var notifications = new WsFederationAuthenticationNotifications()
        {
            RedirectToIdentityProvider = notification =>
            {
            if (notification.ProtocolMessage.IsSignOutMessage)
                {
                    if (!string.IsNullOrEmpty(notification.ProtocolMessage.Wreply) &&
                        notification.ProtocolMessage.Wreply.Equals("WREPLY"))
                    {
                        notification.ProtocolMessage.Wreply += //EXTRACTING MARKET FROM COOKIE
                    }
                }
                return Task.FromResult(0);   
            }
        };
        return notifications;
    }

Not sure how stable this solution is... But we will do load test on it and its not final yet.

from identityserver3.wsfederation.

Any progress on this? We are looking to implement a similar feature.
Thanks

from identityserver3.wsfederation.

Anyone want to propose a PR for this? If not, we will close this.

from identityserver3.wsfederation.

I am sorry but I did not have time to implement something. It is OK to close it.

from identityserver3.wsfederation.

I could look at re-opening and finishing #44 - I believe all that needs changing is defining the list of valid reply URLs per relying party instead of a global list. This method does present some issues if the user logs out multiple times. We have been successfully using a fork with the above changes in production for 5 months.

If there is interest, I'll find some time to pick the PR up again.

from identityserver3.wsfederation.

Unfortunately I don't have time for this right now, but I would be very appreciate if someone has. This is something that we still need.

from identityserver3.wsfederation.

This seems to be covered by #60

from identityserver3.wsfederation.