I'm using WsFed to implement ADFS SSO into an app. In order to properly sign out, I must specify CookieAuthenticationDefaults.AuthenticationScheme and WsFederationDefaults.AuthenticationScheme schemes for the SignOut method. If I use only the cookie scheme, I am not signed out. If I use only the WsFed scheme, I'm signed out but able to be automatically re-authenticated if I click the browser back button.
At the moment, I'm specifying both of them for the SignOut method. However, I don't want to have these schemes in multiple places (Startup.cs and controller action).
I know that if I don't provide a scheme then it defaults to one, just like in my Login action. But is it possible to make it default to two schemes, or need to hardcode only one of them in the action?
Logout action:
[AllowAnonymous]
[HttpGet]
public IActionResult Logout()
{
return SignOut(
new AuthenticationProperties
{
RedirectUri = Url.Action("LoggedOutSuccessfully", "NameController"),
},
WsFederationDefaults.AuthenticationScheme,
CookieAuthenticationDefaults.AuthenticationScheme);
}
Startup.cs default scheme set up:
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
//need two schemes here (or somewhere) instead of one
sharedOptions.DefaultSignOutScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(options =>
{
//... WsFed options
})
.AddCookie(options =>
{
//... cookie options
});
The short answer is no, you cannot really combine multiple schemes by default.
The reason for that is mostly due to what schemes can be: The cookie scheme is really one of the simplest scheme you could sign out because it just needs to clear the user’s cookies and as such does not need its own HTTP response. Instead, it can be combined with another response, for example that of a remote scheme signing out of a remote authentication provider.
WS-Federation is a remote authentication scheme which basically means that it relies on a remote authentication provider to actually perform the user authentication. In most cases, signing on with a remote authentication provider means that that provider will also create a user session on its own, so that subsequent authentication requests can rely on the already existing user session to authenticate the user without asking them for their credentials. This is also the foundation of single sign-on across multiple applications: You sign in once with the central authentication provider, and all applications can transparently authenticate the user without asking them to reauthenticate.
For the sign-out process this unfortunately means that in order to sign a user out remotely, the user has to be sent to that exact authentication provider to sign out there (simply because you cannot clear the authentication provider’s cookie yourself). This is usually done with a redirect to the authentication provider’s sign out page. And since a redirect is a single HTTP response, you can combine it with a cookie sign-out but not with another remote authentication sign-out.
Depending on the protocol and the provider’s capabilities, the protocol may allow you to specify a return URL the user is redirected back after successfully signing out. This mechanism could be used to chain sign-outs with multiple authentication handlers that each require their own HTTP response. But you will have to handle that yourself.
In the end, it is also really your choice whether you want to sign out a user remotely. Depending on your setup, you might only want to sign out the user locally (via the cookie scheme) but keep them logged in with their remote authentication handler. So by choosing the schemes on sign-out, you have control over that as well.