如何使用仅在第一次注销时有效但不能在以后注销时使用的passport-saml修复SLO

时间:2019-04-16 12:09:39

标签: express adfs passport-saml

我必须将应用程序连接到公司的ADFS服务器。我正在为SSO和SLO使用Passport-saml。 SSO有效,并且SLO仅在第一次注销时有效。我正在尝试使SLO在每次用户注销时都能正常工作。

我一直在高低寻找这个问题的解决方案,但是这回避了我。详细信息:

  1. 我先清除浏览器中的cookie,然后再重新整理。
  2. 我登录到我的应用程序,该应用程序重定向到ADFS的登录页面
  3. 输入用户凭据,然后ADFS重定向回我的应用程序主页
  4. 我注销了我的应用程序,并将请求发送到ADFS服务器,这终止了我在本地和ADFS上的会话,然后将我重定向回我的应用程序主页
  5. 我再次登录,可以正常使用
  6. 我已注销,但是这次我被发送到ADFS服务器的注销页面。

进一步检查显示,ADFS不会清除其cookie,因此ADFS会话保持活动状态。

我已经使用Firefox的SAML查看器插件来观察正在发生的事情,这是我的发现:

成功注销:

HTTP:

获取https://myadfs.org/adfs/ls/?wa=wsignout1.0 HTTP / 1.1 主持人:myadfs.org 用户代理:Mozilla / 5.0(Macintosh; Intel Mac OS X 10.14; rv:66.0)Gecko / 20100101 Firefox / 66.0 接受:text / html,application / xhtml + xml,application / xml; q = 0.9, / ; q = 0.8 接受语言:en-US,en; q = 0.5 接受编码:gzip,deflate,br 推荐人:https://example.com/dashboard/data 连接:保持活动状态 饼干:MSISAuth = AAEAAMVBaN7qo03wm / 4jDH9e / tZ6ih6HN ++ ++ 2S7c7c0aXHK1RYIZ5 + 4Y7pf3g4v OdRUzcJgOROfZkXx0tSEeCOfJFMluodJiSYsESiJnidVcR7Os / iHkNqIp88qGG7UZj + l8NYyvsO / 7soTyQGkbMqoI0Z + 0Z + xXz2CZgOxsqWcjJ3FmTR32bsMR8Lra77XI2KyKycFiNYdYJ2dSKC7yBdxBRKHB7LAs4DOJKAtOt // IWspe9zPbju + x6chgP0dKToyfqX6m4EwlQnbHG4hmCImtXrEDytx1rbuLiBC7N56Y9WmGBTht5vgYvVEoA2cRqBbNYK + HoonL6 + oBIJdba6 + XZ2lBQsO / yJowvaHxPM8wgwLBknSt39RswaSdGjrI18CcgABAAB / eeLBPuQ9dk6ItCeTem38XttX / PQPLi52Ts + ZQGYHxs4VsO1EMe7EgMGYThPGlMCDcmS9ouXOSh6yW / LiL1jTuhc2 / jhq3X0jWY + XPOSXtp81mineHeNv8SWsFjggzh5AymLtPPrPUYT6ihj9fcbJymqatsZMI5B5h0gxS2LaUUWjJyRxpMIyQXEpLSx1mxU5psQrj5 / nGpOiq98uy8HE4kJp + Ey9uugSZQXhn9NwY + EqqmWxf6LDrCaeMLFDIX6mlgqu2eTLrUA9gNIJ4kSOC / 5Rtw4JQVJpSeQuMom6kCHFEvZo / 57BIhGkgWR8vNNCguHzZeB + as0xxfxmmb9SgAMAAMVFqaMXn0uG8 + IGJIfxdIIoJ7EsLqV7so7WnFT / 4OxfLzsXlO2flq0vcEbasLuLoqhGFaOuy1dkq / ft9se6Pv6rQfH7Esk / aMey / cKObBUPkcZAUFtQxXD7MSLScsiVnq3hHjrpZzEnMTToVkA9Zjv3i72Wv20tdE658 + 7O1olibavPPIT7Z5syoQNa1rjOAaXcPlM5hbbjXm7BiXx37ZEnvxwpY1Mf4Yocvgd9kMoApciDB2c sbTf4GEic7MKeAI2G5KpwArY7g + zt4BJud + F / xnyuwVPpwPVEiNbHQnAogh5NoMDwRx + macTdkHku4AdNvruS / 4L / aUHcEhPlhu3j / 7r9kP1EnRso12NP1AWipsGlmpdAjoIXfK0 + NBqJnDq0KwSEcvJ38OI6Z1FVkRWySi8br8pjtcytFhdh5RTkpD8FVQZ / RnGC1XE4q4IJhxMBlE1Kd8PNh3p85qpoX6r2I36a3knwK2dkm7pb0XNVwhxhC5DGpaB2iNo86CGi + BX4rICBGkNgyrOW / aWKpIhLu0bo1IDVQJw7MORdROJJk / o81E15HuC2g4r3ch + IvZOXKfAenGYM2mYrgnSRHLD0p7KsDN0vuU3IdLXAL5 / D5ezr3WQFDFXPpRJyQ + qfx8kyUCe / vtvEVaNezHzOKosQsNGwSvp + lHrEGA9LLYM8RkU / Vwshgkeq2H8MoyuDRaxgOoudNGOmvwNfMp9BoOsz8OCDA5R2BB + JXzsEkSpNYebJK + VWm5wOcYnJ2j9y1OKjRU1ICRtsSPG5kLWmYUt8hHsswzrj4UAxpks + Dn2S09YzeOudC5ss5hmTM / UeVG3r3kJ9 + Ad7716V9g7016u + XGhfSWty8EPxVAg0qV9wwAIk + FliWFdF1OLY1RODcsS3swqYfMrBWWdULVNl5d36ycFGucaP893o4Q / im7tx2 + 588lfvPbZO + DkP40MHP9Hwe ++ ra6kDiQx5si4M16zYIMmxa4nq6XVcr2hFlqbsLQjhIqkiFOCkt9LNRdKNZlghQkspUH44qLBq4sTHK0iD13FFmBs5rEE1CWa89oCELhea / Z9hPEtjPpC3Q52cAXBgbOJCTr6OYFYfQKbATqHdTU09 / nJOafMK5ID1pf7pmBL + ZTH7Kl64lxhyO / 9F84t47TctQhhFqxgsIxmv + ZVHajanNl4E0gXqJ0ULsY2h; SamlSession = aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZyZGYWxzZSZDDWtyYXNTRCYmJiYmXzFkZjY4M2RhLTM4NTktNDVjNS04ODNkYY3Ym; MSISAuthenticated = NC8xNi8yMDE5IDExOjI2OjI4IEFN; MSISLoopDetectionCookie = MjAxOS0wNC0xNjoxMToyNjoyOFpcMQ == 升级不安全请求:1

找到HTTP / 1.1 302 内容长度:0 内容类型:text / html;字符集= utf-8 位置:https://example.com:443/login?SAMLRequest=lZLfa4MwEMf%2fFcl71KjxR7BCqS9C18I69rCXEjXpZJq4XCz982crY6yMwh7vuO9973N3OfChH9lWn%2fRkn8XnJMA6VblCR%2bpzQqWUOKWE4igMUlz7nGKexHUYJdSnKUXOqzDQabVCgesjpwKYRKXAcmXnlE8y7EeYxC%2bEsCBmYeamCX1DTjm7dIrbm%2fLd2hGY58mxaU0rzu6gpeysdbU5eb0%2bdQo5G61AXHtORjHNoQOm%2bCCA2YYd1k9bNtuzZilik4JRNJ3sRIucnbZ7tTdraYW5HykkPyNdhl4Bu23jsctotNWN7lGR33DNIn0s4gDCXHFRccWdac04Auh7XN5K8ObSc9cI8KyZwObeYlPku7ltVf7TbjN9GA6HMvcWeZEvFz8IuB6uUq24FEfSyjgNW47DlGY4og3F6RxjP4nbmid1kCV17v2h%2fE7%2beqDiCw%3d%3d&Signature=pT%2fSUpslARJlvOCah5VzZk4stZLIREyHmUFOO4siHUbkL5eJG4QsfYj9Pq%2bwxnOaPaevYkmiXq0rft3drTzJHspns9UbucyYQvEaSAZVmRTTyfPC3Z0EgVGSvtr0JL3nuDPsq2IfbToseuQQtJFsA%2b94D8KtaLjtUJxiMcQMHyg2yR00Ac3NGt9AsRg1X73X%2frt0XZDN9bSt4R8t%2bt2Yl2UsZsL4GHTGk7RbN3AUrYHsLtKeuN07umXqX3otVtHo%2f9tx2w2h1glYycYbFCk%2bWjox8Mej%2fiLLkpAhw9EXlhiTGrEJ2%2bcYvnQxGokOsz2vXEOoc3%2fhle27LuTPFMN9yw%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256 伺服器:Microsoft-HTTPAPI / 2.0 P3P:ADFS没有P3P政策,请联系您网站的管理员以获取更多详细信息 Set-Cookie:SamlSession =; expires =星期一,2019年4月15日11:26:39 GMT;路径= / adfs SamlLogout = aHR0cCUzYSUyZiUyZnJwcHNzb2Rldi5tb2ZmaXR0Lm9yZyUyZmFkZnMlMmZzZXJ2aWNlcyUyZnRydXN0Pz8 / aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZGYWxzZSZDdWtyYXNTRCYmJiYmXzFkZjY4M2RhLTM4NTktNDVjNS04ODNkLTA3NmRiYTdiMjk3Yj9fNTBhMTVmZmYtODUxNS00MzI4LWIwYTUtYTc2YjM0NzUwNTg1P3VybiUzYW9hc2lzJTNhbmFtZXMlM2F0YyUzYVNBTUwlM2EyLjAlM2FzdGF0dXMlM2FTdWNjZXNz; path = / adfs; HttpOnly;安全 MSISAuthenticated =; expires =星期一,2019年4月15日11:26:39 GMT;路径= / adfs MSISAuth =; expires =星期一,2019年4月15日11:26:39 GMT;路径= / adfs ReturnUrl = aHR0cHM6Ly9ycHBzc29kZXYubW9mZml0dC5vcmc6NDQzL2FkZnMvbHMvP3dhPXdzaWdub3V0MS4w; path = / adfs; HttpOnly;安全 MSISSignoutProtocol = U2FtbA ==; expires =星期二,2019年4月16日11:36:39 GMT; path = / adfs; HttpOnly;安全 日期:星期二,2019年4月16日11:26:39 GMT

SAML: 

<samlp:LogoutRequest ID="_50a15fff-8515-4328-b0a5-a76b34750585"
                     Version="2.0"
                     IssueInstant="2019-04-16T11:26:39.875Z"
                     Destination="https://example.com/login"
                     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                     NotOnOrAfter="2019-04-16T11:31:39.875Z"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myadfs.org/adfs/services/trust</Issuer> <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">USERNAME</NameID> <samlp:SessionIndex>_1df683da-3859-45c5-883d-076dba7b297b</samlp:SessionIndex> </samlp:LogoutRequest>

在随后失败的注销中:

HTTP:

获取https://myadfs.org/adfs/ls/?wa=wsignout1.0 HTTP / 1.1 主持人:myadfs.org 用户代理:Mozilla / 5.0(Macintosh; Intel Mac OS X 10.14; rv:66.0)Gecko / 20100101 Firefox / 66.0 接受:text / html,application / xhtml + xml,application / xml; q = 0.9, / ; q = 0.8 接受语言:en-US,en; q = 0.5 接受编码:gzip,deflate,br 推荐人:https://example.com/dashboard/data 连接:保持活动状态 Cookie:MSISLoopDetectionCookie = MjAxOS0wNC0xNjoxMToyODoyNlpcMQ ==; SamlLogout = aHR0cCUzYSUyZiUyZnJwcHNzb2Rldi5tb2ZmaXR0Lm9yZyUyZmFkZnMlMmZzZXJ2aWNlcyUyZnRydXN0Pz8 / aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZGYWxzZSZDdWtyYXNTRCYmJiYmXzFkZjY4M2RhLTM4NTktNDVjNS04ODNkLTA3NmRiYTdiMjk3Yj9fNTBhMTVmZmYtODUxNS00MzI4LWIwYTUtYTc2YjM0NzUwNTg1P3VybiUzYW9hc2lzJTNhbmFtZXMlM2F0YyUzYVNBTUwlM2EyLjAlM2FzdGF0dXMlM2FTdWNjZXNz; ReturnUrl = aHR0cHM6Ly9ycHBzc29kZXYubW9mZml0dC5vcmc6NDQzL2FkZnMvbHMvP3dhPXdzaWdub3V0MS4w; MSISSignoutProtocol = U2FtbA ==; MSISAuth = AAEAAFOnxdlEvO8Le / Gti39Bx6BFj1cEJ39 / A6ogocbLbXlBnq07uT1v + MuAzZs0NqyB1Wmqx3O8oTwPancFPCEFrQbngzsvsWI / oAXmuDih8uBG9MVPfstAu / cFPXL95V2IIUjX6r3Tv08FqipxW / 1CHa7QM8XvXU5a516zFsZTaxke + ITD3B + nGPsuQY + oVG47NhtoMHmCrbShjOBd9Wn6Q5FzDqbHlxD / 5czDUXixYf8gg + MTNq9W + oT5J7TF6NaBb7o1QojY7c8UoJ4fQONwlMNE17TgGVomqN4N9qVPTShGSaTlM8C + er9SOWQiALfZHvH2sv8N0AIn9qpivuCzw9WlBQsO / yJowvaHxPM8wgwLBknSt39RswaSdGjrI18CcgABAAAAz9AfrV1onudL + YY + 0zL4vWeCboTECwksETafeI44 / o0n0DEBx8kVGELmmPqSKD216OFB + p4k0K // HTW + YnRiuFpk1dAnN + dmwirgwzohFU1A3lWq0pQcHFyui1xs1UHnzDZokvK + 7r859oZP0XZ4pGGTZsjWyc2B32FgwfvpiKYKDsWALpajW9FRDnt1VnGyDSzsN3V6vQHmKIEBZn5wb3 + b3DtB9hV / ZssxiE7Xf8V8l + 144wE71YH4ETNbcX0VXKNlkL9x5R + EThMlzyNl2tAcGWSk + 3xM3lhfTm3 + 8y5GEP3rtJjLQGZSPKUljPcZM / MU3EX3YRrCkYsAyhgpgAMAAKGsYkEEca74go1dVexUCjdky1zUJMng5a / ZmKCRWTYsPT2DCjR579a0Hr69s8nl36p8EgyqnyXPm / uiFp + LPp1CuCCuXe / QYFoySixCOEcJsnRbikBEAP / Bpj5UUifnqgyO7MHH1GQiXeOlw2llsPu7rdNiEqB4X6Hqhnn6xaasl + 5iqvNkZSTi8DSQc / 24MRT4VsAcJcO7eqxjQBluWr2cyvdr9pn4GigQ05WaXWfogo3BwPJzLUo + NNG vLHfxyn1wDmUYghc + OXS + vJwTadiiSDDzrcTVTuVxw2xj6OVi8DXbyRii5 + VTKolRK0qCa / 4C4BCzOOGUkooktX / GecV6eNuk8xOdLsiybY9Ah5Z2WVgraDntw /瓦特/ PP / ij4v0jDLvDQjU + BIfGOpeV1jcG9VDObir5GYGfOm59DtlRpoy / kpjiDLWI8EE75DEFlhomeae0v4xBQ6XqgVd5lEcA2DTm / 3Ophg31FA2M5J65yE4t7W7inIC4XjMWFOu3GCMse7ERYyFbq59vf + iSs6eyev7wXidvAekALmq6Gk2Ths2JR1TbV27E2 + kgGhmvlgiShx67E9s2wrBfPKvV7 + IMS9Xe1YPKpZAlfCwnkbQNonqAMQH5LsHq1K7DWrNTcon10TiOtlMbzin8FtNphcnChHYmBbDxpqrf5xwwYXbyznQnMfeDnjN7aPo909gwhfUGNltLTOZ81m6k9c3Z0C8ugvL61bbw3Ku42OZiOnoVcEYjf50bMWZQl / hUMlRp + uHVNhK41z6U2O9Ph7S4ZI4wg7z33Z + VCP + 08HpMRqrX155atJYVX73mnr3 + J4rKvyJvjglb9aA333MUOC7iGMDDNImibvofyhbqK3VO + zqyPYj0R4OvhnA9RlvV10MWDhn5qnVevA5Oo1MQNPGnTLtfRZXpB8oa2bZZMh62XO4a5gZ / ioNsigiDAFKbQnx0wvBTb0uqYSZpfxoA4K2o87swOYB81FTkQNBnNZG171szH89jijOuEAI7hAWdAnM2LjagGZwWpuF2yHbJqQqsGzjvnqbQ6yMTvaEbkooSelFEBeRW2Gg5rGAjj5Pvs + T0ljhVlby6FfFKJ71NDBvn / 7PGIglARSZqUZcAuthlhr8pta11WnhsfnyumvLfWvOZHZZjWslKMLBpGEBe1WgcYBUBYUrUeHmCqDRy5Zc4KJXwGrY; SamlSession = aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZGYWxzZSZDdWtyYXNTRCYmJiYmX2NlNDAwODQxLTA2ZDItNDI3Ni05MTRLWWZN MSISAuthenticated = NC8xNi8yMDE5IDExOjI4OjI2IEFN 升级不安全请求:1

HTTP / 1.1 200确定 缓存控制:无缓存,无存储 语法:无缓存 内容长度:8957 内容类型:text / html;字符集= utf-8 过期:-1 伺服器:Microsoft-HTTPAPI / 2.0 日期:2019年4月16日,星期二11:28:45 GMT

SAML:

未发送SAML

您将看到,成功注销后,ADFS会将cookie设置为清除它们,而失败注销则不会。此外,失败的注销不会发送SAML注销请求。

最后,当我清除浏览器中的cookie时,第一个登录/注销会话将再次按预期工作,而随后的所有注销将不起作用。我可以看到Cookie保留在后续注销中,因为ADFS没有收到SAML注销请求。我只是不了解在第一次注销时如何工作,但在接下来的注销中却不知道。我查看了护照saml的代码,但似乎找不到问题。

任何帮助都会很棒。

这是我的password.js设置:

const fs = require('fs');
const passport = require('passport');
const SamlStrategy = require('passport-saml').Strategy;
require('dotenv').config();

passport.serializeUser((user, done) => {
    done(null, user);
});

passport.deserializeUser((user, done) => {
    done(null, user);
});

passport.use(new SamlStrategy({
    entryPoint: 'https://myadfs.org/adfs/ls',
    issuer: 'https://example.com',
    callbackUrl: process.env.NODESERVERURL + ':' + process.env.PORT + '/authenticate/adfs/postResponse',
    privateCert: fs.readFileSync(__dirname + '/private/keys/fpcdr.key', 'utf-8'),
    logoutUrl: 'https://myadfs.org/adfs/ls/?wa=wsignout1.0',
    signatureAlgorithm: 'sha256'
},
    function(profile, done) {
        const username = profile.nameID.toLowerCase();
        const email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'].toLowerCase();
        const sessionIndex = profile.sessionIndex;
        return done(null, {
            username,
            email,
            sessionIndex
        });
    })
);

module.exports = passport;

护照callbackUrl:

module.exports.adfsAuthenticate = function(req, res) {

    const email = req.user.email;
    const username = req.user.username;

    if (process.env.UAT === 'true') {
        res.status(302).redirect(LANDING_PAGE_REDIRECT_DEV);
    } else {
        res.status(302).redirect(LANDING_PAGE_REDIRECT_PROD);
    }
};

adfs注销:

module.exports.logout = function(req, res) {
    req.logout();
    req.session.destroy(function (err) {
        if (!err) {
            res.status(200).clearCookie('connect.sid', {path: '/'}).json({status: "Success"});
        } else { alert(err); }
    });
};

2 个答案:

答案 0 :(得分:1)

我观察到有一个cookie会存储在名为“ MSISSignoutProtocol”的浏览器中,如果该cookie存在,则注销将无法按预期在后续请求上正常工作。

要使其正常运行,您可能需要实施大多数IDP支持的正确SAML注销。

答案 1 :(得分:0)

我有同样的问题,现在我唯一可以确定的是它是因为MSISSignoutProtocol cookie。这里是一些链接:

Active Directory Federation Services Logout

https://social.technet.microsoft.com/Forums/en-US/1bf203f4-c71c-4d50-8d54-8f4e1982ccae/saml-logout-problem?forum=ADFS

我希望这会有所帮助。

相关问题
最新问题