Identity Server 3 and Azure AD Single Sign Out
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm using Identity Server 3 with WS-Federation plugin on top and Azure AD SAML2 Provider as an External Provider in Identity Server 3.
No Problems when I perform Single Sign On between IDSRV3, Client, Relying Party and AZURE AD.
The problem is when I perform Single Sign Out from Azure with authenticated RP (Ws Federation Client).
This is what I'm getting in Firefox:
Load denied by X-Frame-Options: https://localhost:5000/core/wsfed/signout does not permit cross-origin framing.
In Chrome:
Refused to display 'https://localhost:5000/core/wsfed/signout' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
As I see in the WsFederation plugin the "/wsfed/signout" route does not disable the XFO
[Route("signout")]
[HttpGet]
public async Task<IHttpActionResult> SignOutCallback()
{
Logger.Info("WS-Federation signout callback");
var urls = await _cookies.GetValuesAndDeleteCookieAsync(WsFederationPluginOptions.CookieName);
return new SignOutResult(urls);
}
But do on the "/wsfed" GET route:
[Route("")]
[SecurityHeaders(EnableCsp = false, EnableXfo = false)]
public async Task<IHttpActionResult> Get()
{
...
if (signout != null)
{
Logger.Info("WsFederation signout request");
return await ProcessSignOutAsync(signout);
}
Where is the mistake here? If I remove the X-Frame-Options headers in IIS directly it works fine but following the docs does not.
Any help is appreciated.
iis identityserver3 content-security-policy ws-federation x-frame-options
asked Jan 4 at 14:20
dimitarfdimitarf
61
add a comment |
I'm using Identity Server 3 with WS-Federation plugin on top and Azure AD SAML2 Provider as an External Provider in Identity Server 3.
No Problems when I perform Single Sign On between IDSRV3, Client, Relying Party and AZURE AD.
The problem is when I perform Single Sign Out from Azure with authenticated RP (Ws Federation Client).
This is what I'm getting in Firefox:
Load denied by X-Frame-Options: https://localhost:5000/core/wsfed/signout does not permit cross-origin framing.
In Chrome:
Refused to display 'https://localhost:5000/core/wsfed/signout' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
As I see in the WsFederation plugin the "/wsfed/signout" route does not disable the XFO
[Route("signout")]
[HttpGet]
public async Task<IHttpActionResult> SignOutCallback()
{
Logger.Info("WS-Federation signout callback");
var urls = await _cookies.GetValuesAndDeleteCookieAsync(WsFederationPluginOptions.CookieName);
return new SignOutResult(urls);
}
But do on the "/wsfed" GET route:
[Route("")]
[SecurityHeaders(EnableCsp = false, EnableXfo = false)]
public async Task<IHttpActionResult> Get()
{
...
if (signout != null)
{
Logger.Info("WsFederation signout request");
return await ProcessSignOutAsync(signout);
}
Where is the mistake here? If I remove the X-Frame-Options headers in IIS directly it works fine but following the docs does not.
Any help is appreciated.
iis identityserver3 content-security-policy ws-federation x-frame-options
asked Jan 4 at 14:20
dimitarfdimitarf
61
add a comment |
I'm using Identity Server 3 with WS-Federation plugin on top and Azure AD SAML2 Provider as an External Provider in Identity Server 3.
No Problems when I perform Single Sign On between IDSRV3, Client, Relying Party and AZURE AD.
The problem is when I perform Single Sign Out from Azure with authenticated RP (Ws Federation Client).
This is what I'm getting in Firefox:
Load denied by X-Frame-Options: https://localhost:5000/core/wsfed/signout does not permit cross-origin framing.
In Chrome:
Refused to display 'https://localhost:5000/core/wsfed/signout' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
As I see in the WsFederation plugin the "/wsfed/signout" route does not disable the XFO
[Route("signout")]
[HttpGet]
public async Task<IHttpActionResult> SignOutCallback()
{
Logger.Info("WS-Federation signout callback");
var urls = await _cookies.GetValuesAndDeleteCookieAsync(WsFederationPluginOptions.CookieName);
return new SignOutResult(urls);
}
But do on the "/wsfed" GET route:
[Route("")]
[SecurityHeaders(EnableCsp = false, EnableXfo = false)]
public async Task<IHttpActionResult> Get()
{
...
if (signout != null)
{
Logger.Info("WsFederation signout request");
return await ProcessSignOutAsync(signout);
}
Where is the mistake here? If I remove the X-Frame-Options headers in IIS directly it works fine but following the docs does not.
Any help is appreciated.
iis identityserver3 content-security-policy ws-federation x-frame-options
asked Jan 4 at 14:20
dimitarfdimitarf
61
I'm using Identity Server 3 with WS-Federation plugin on top and Azure AD SAML2 Provider as an External Provider in Identity Server 3.
No Problems when I perform Single Sign On between IDSRV3, Client, Relying Party and AZURE AD.
The problem is when I perform Single Sign Out from Azure with authenticated RP (Ws Federation Client).
This is what I'm getting in Firefox:
Load denied by X-Frame-Options: https://localhost:5000/core/wsfed/signout does not permit cross-origin framing.
In Chrome:
Refused to display 'https://localhost:5000/core/wsfed/signout' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
As I see in the WsFederation plugin the "/wsfed/signout" route does not disable the XFO
[Route("signout")]
[HttpGet]
public async Task<IHttpActionResult> SignOutCallback()
{
Logger.Info("WS-Federation signout callback");
var urls = await _cookies.GetValuesAndDeleteCookieAsync(WsFederationPluginOptions.CookieName);
return new SignOutResult(urls);
}
But do on the "/wsfed" GET route:
[Route("")]
[SecurityHeaders(EnableCsp = false, EnableXfo = false)]
public async Task<IHttpActionResult> Get()
{
...
if (signout != null)
{
Logger.Info("WsFederation signout request");
return await ProcessSignOutAsync(signout);
}
Where is the mistake here? If I remove the X-Frame-Options headers in IIS directly it works fine but following the docs does not.
Any help is appreciated.
iis identityserver3 content-security-policy ws-federation x-frame-options
iis identityserver3 content-security-policy ws-federation x-frame-options
asked Jan 4 at 14:20
dimitarfdimitarf
61
asked Jan 4 at 14:20
dimitarfdimitarf
61
asked Jan 4 at 14:20
dimitarfdimitarf
61
asked Jan 4 at 14:20
dimitarfdimitarf
61
asked Jan 4 at 14:20
dimitarfdimitarf
61
61
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54040748%2fidentity-server-3-and-azure-ad-single-sign-out%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54040748%2fidentity-server-3-and-azure-ad-single-sign-out%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
