我正在使用带有自定义STS的Windows Azure访问控制服务。我可以通过ACS登录我的应用程序,但是我在登出功能方面遇到了麻烦。我在我的应用程序中尝试过这段代码。
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
try
{
FormsAuthentication.SignOut();
}
finally
{
fam.SignOut(true);
}
Page.Response.Redirect("default.aspx");
但它似乎从ACS注销用户而不是从自定义STS注销。从STS注销我该怎么办?在appliacation(RP),ACS或STS中可能出现问题?
我认为ACS应该要求自定义STS注销用户,但似乎它不会这样做。我缺少什么?
答案 0 :(得分:5)
我已经为FederatedSignout创建了一个帮助方法,在代码中注释了我在路上发现的内容(hth)
public static void FederatedSignOut(string reply = null)
{
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
// Native FederatedSignOut doesn't seem to have a way for finding/registering realm for singout, get it from the FAM
string wrealm = string.Format("wtrealm={0}", fam.Realm);
// Create basic url for signout (wreply is set by native FederatedSignOut)
string signOutUrl = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(fam.Issuer, null, wrealm);
// Check where to return, if not set ACS will use Reply address configured for the RP
string wreply = !string.IsNullOrEmpty(reply) ? reply : (!string.IsNullOrEmpty(fam.Reply) ? fam.Reply : null);
WSFederationAuthenticationModule.FederatedSignOut(new Uri(signOutUrl), !string.IsNullOrEmpty(wreply) ? new Uri(wreply) : null);
// Remarks! Native FederatedSignout has an option for setting signOutUrl to null, even if the documentation tells otherwise.
// If set to null the method will search for signoutUrl in Session token, but I couldn't find any information about how to set this. Found some Sharepoint code that use this
// Michele Leroux Bustamante had a code example (from 2010) that also uses this form.
// Other examples creates the signout url manually and calls redirect.
// FAM has support for wsignoutcleanup1.0 right out of the box, there is no need for code to handle this.
// That makes it even harder to understand why there are no complete FederatedSignOut method in FAM
// When using native FederatedSignOut() no events for signout will be called, if you need this use the FAM SignOut methods instead.
}
此代码用于我们为带有ACS的Web SSO创建的标准RP库。
答案 1 :(得分:2)
2012年12月的ACS更新包括对联合单点注销的支持:
使用WS-Federation协议。使用ACS的Web应用程序 使用身份提供程序启用身份提供程序的单点登录(SSO) WS-Federation协议现在可以利用单点注销 能力。当用户退出Web应用程序时,ACS可以 自动将用户从身份提供商中签出并退出 使用相同身份提供者的其他依赖方应用程序。
此功能适用于WS-Federation身份提供商,包括 Active Directory联合身份验证服务2.0和Windows Live ID (微软帐户)。要启用单点注销,ACS会执行 以下WS-Federation协议端点任务:
ACS识别来自身份提供商的wsignoutcleanup1.0消息 并通过向依赖方发送wsignoutcleanup1.0消息进行响应 应用
ACS识别来自依赖方的wsignout1.0和wreply消息 应用程序并通过发送wsignout1.0消息进行身份响应 提供者和wsignoutcleanup1.0消息给依赖方 应用
从Code Sample: ASP.NET MVC 4 with Federated Sign-out,实施类似这样的行动,从ACS退出:
(请注意,Windows Identity Foundation现已合并到.NET 4.5 Framework中,这就是下面新命名空间的原因)
using System.IdentityModel.Services;
using System.IdentityModel.Services.Configuration;
public ActionResult Logout()
{
// Load Identity Configuration
FederationConfiguration config = FederatedAuthentication.FederationConfiguration;
// Get wtrealm from WsFederationConfiguation Section
string wtrealm = config.WsFederationConfiguration.Realm;
string wreply;
// Construct wreply value from wtrealm (This will be the return URL to your app)
if (wtrealm.Last().Equals('/'))
{
wreply = wtrealm + "Logout";
}
else
{
wreply = wtrealm + "/Logout";
}
// Read the ACS Ws-Federation endpoint from web.Config
// something like "https://<your-namespace>.accesscontrol.windows.net/v2/wsfederation"
string wsFederationEndpoint = ConfigurationManager.AppSettings["ida:Issuer"];
SignOutRequestMessage signoutRequestMessage = new SignOutRequestMessage(new Uri(wsFederationEndpoint));
signoutRequestMessage.Parameters.Add("wreply", wreply);
signoutRequestMessage.Parameters.Add("wtrealm", wtrealm);
FederatedAuthentication.SessionAuthenticationModule.SignOut();
string signoutUrl = signoutRequestMessage.WriteQueryString();
return this.Redirect(signoutUrl);
}