我正在使用带有自定义STS的Windows azure访问控制服务。我可以通过ACS登录到我的应用程序,但我在注销功能方面遇到了问题。我已在应用程序中尝试过此代码。
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
try
{
FormsAuthentication.SignOut();
}
finally
{
fam.SignOut(true);
}
Page.Response.Redirect("default.aspx");
但它似乎将用户从ACS注销,而不是从自定义STS注销。我应该怎么做才能从STS注销。应用(RP)、ACS或STS中的问题可能在哪里?
我认为ACS应该要求自定义STS注销用户,但它似乎没有做到这一点。我缺少什么?
我创建了一个用于执行FederatedSignout的助手方法,在代码中对我在过程中发现的内容进行了注释
public static void FederatedSignOut(string reply = null)
{
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
// Native FederatedSignOut doesn't seem to have a way for finding/registering realm for singout, get it from the FAM
string wrealm = string.Format("wtrealm={0}", fam.Realm);
// Create basic url for signout (wreply is set by native FederatedSignOut)
string signOutUrl = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(fam.Issuer, null, wrealm);
// Check where to return, if not set ACS will use Reply address configured for the RP
string wreply = !string.IsNullOrEmpty(reply) ? reply : (!string.IsNullOrEmpty(fam.Reply) ? fam.Reply : null);
WSFederationAuthenticationModule.FederatedSignOut(new Uri(signOutUrl), !string.IsNullOrEmpty(wreply) ? new Uri(wreply) : null);
// Remarks! Native FederatedSignout has an option for setting signOutUrl to null, even if the documentation tells otherwise.
// If set to null the method will search for signoutUrl in Session token, but I couldn't find any information about how to set this. Found some Sharepoint code that use this
// Michele Leroux Bustamante had a code example (from 2010) that also uses this form.
// Other examples creates the signout url manually and calls redirect.
// FAM has support for wsignoutcleanup1.0 right out of the box, there is no need for code to handle this.
// That makes it even harder to understand why there are no complete FederatedSignOut method in FAM
// When using native FederatedSignOut() no events for signout will be called, if you need this use the FAM SignOut methods instead.
}
此代码用于我们为具有ACS的Web SSO创建的标准RP库中。
ACS 2012年12月的更新包括对联合单一注销的支持:
使用WS-Federation协议。使用ACS的Web应用程序使用WS-Federation协议现在可以利用单一注销功能。当用户退出web应用程序时,ACS可以自动将用户注销身份提供程序并注销使用相同身份提供者的其他依赖方应用程序。
此功能可用于WS-Federation身份提供程序,包括Active Directory联合身份验证服务2.0和Windows Live ID(Microsoft帐户)。要启用单一注销,ACS执行WS-Federation协议终结点的以下任务:
ACS识别来自身份提供程序的wsignoutcleanup1.0消息并通过向依赖方发送wsignoutcleanup1.0消息进行响应应用程序。
ACS识别wsignout1.0并从依赖方获取消息应用程序并通过向标识发送wsignout1.0消息进行响应providers和发送给依赖方的wsignoutcleanup1.0消息应用程序。
来自代码示例:ASP。NET MVC 4与联合注销,实现这样的操作从ACS:注销
(请注意,Windows Identity Foundation现在已集成到.NET 4.5 Framework中,这就是下面新名称空间的原因)
using System.IdentityModel.Services;
using System.IdentityModel.Services.Configuration;
public ActionResult Logout()
{
// Load Identity Configuration
FederationConfiguration config = FederatedAuthentication.FederationConfiguration;
// Get wtrealm from WsFederationConfiguation Section
string wtrealm = config.WsFederationConfiguration.Realm;
string wreply;
// Construct wreply value from wtrealm (This will be the return URL to your app)
if (wtrealm.Last().Equals('/'))
{
wreply = wtrealm + "Logout";
}
else
{
wreply = wtrealm + "/Logout";
}
// Read the ACS Ws-Federation endpoint from web.Config
// something like "https://<your-namespace>.accesscontrol.windows.net/v2/wsfederation"
string wsFederationEndpoint = ConfigurationManager.AppSettings["ida:Issuer"];
SignOutRequestMessage signoutRequestMessage = new SignOutRequestMessage(new Uri(wsFederationEndpoint));
signoutRequestMessage.Parameters.Add("wreply", wreply);
signoutRequestMessage.Parameters.Add("wtrealm", wtrealm);
FederatedAuthentication.SessionAuthenticationModule.SignOut();
string signoutUrl = signoutRequestMessage.WriteQueryString();
return this.Redirect(signoutUrl);
}