i am unable to logout from my simple azure web app that has Azure active directory as the authentication provider.
the user logs into the site using the AAD login page shown here
but i am struggling to find out how to log the user out.
i tried using the various undocumented logout urls like
https://login.microsoftonline.com/<tennantid>/oauth2/logout
although they report the the user is logged out, it isnt. As returning to the previous URL goes straight thru without a sign page.
i am guessing there are some cookies that need to be cleared but where on earth is all this stuff documented?
any help is most appreciated.
Did you try "[your-domain]/.auth/logout"?
I too had a very hard time figuring this out and I found it in the comments of this blog post.
Hope it helps!
Related
I have developed a web application written in just pure HTML.
<html>
My code goes here
</html>
And I have deployed it to MS Azure. I'm now looking for a way to authenticate this web application with Active Directory so only my organisation's employees can access it.
I have done tons of research online and it seems like there are many ways to do this. However, I'm looking to do it by "adfs/ls/wia" (correct me if I'm wrong).
The reason why I would like to do it only in that way is because:
I'm going to embed this web application into a dashboard.
In order to view that dashboard, users (employees) need to go to a specific website:
https://<dashboard>.<myorganisation>.com
And then users will be redirected to a sign-in page with this address:
https://fs.<myorganisation>.com/adfs/ls/wia
After signing in (with users' active directory accounts), users will be redirected back to the dashboard's website. The URL is now looking like the following:
https://<dashboard>.<myorganisation>.com/#/site?:isFromSaml=y
And then users can freely browse the dashboards (without having to sign in again) until they close their browsers. So I guess some sort of tokens/sessions are being kept.
My question is:
I would like to authenticate my web application with the same way and since it's only accessed after users have signed in, how do I by-pass this authentication step? What do it need to put on top of my HTML code or is there a way to configure this in MS Azure already?
Thank you so much!
The easiest way is to have two Relying Party in ADFS - one for dashboard - one for web application.
Then you will get SSO across them.
I am following the below tutorial: https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-windows-store-dotnet-get-started-users . I set up the OAuth (via Google) and the created the windows 10 app.
When I click on authenticate button, it takes me to Google site and authenticates me. Then it redirects me to a happy page. This happy page has not buttons. Closing the happy page gives me a [User cancelled login exception]. There is no way to proceed ahead after this. What am I missing here?
I set up the OAuth (via Google) and the created the windows 10 app. When I click on authenticate button, it takes me to Google site and authenticates me. Then it redirects me to a happy page. This happy page has not buttons. Closing the happy page gives me a [User cancelled login exception].
Per my understanding, you are creating a UWP project. I followed Add authentication to your Windows app and Configure App Service to use Google login, then I download the quick start project to check this issue. I could login successfully with my Google account as follows:
Here is my code sample, you could refer to AzureMobileApp-UWP.
I am using the following method to implement logout functionality for Azure Web App.
I am using the url https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1} where {0} is the Azure AD url and {1} is the web app url.
Sample url: https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=http://myazurewebapp.azurewebsites.net
This gives me the output stating
You signed out of your account
It's a good idea to close all browser windows."
But when I put the site url on the browser the user goes through without going through authentication. I have also added code for expiring the cookies, but it's not helping. After signout I want the user to be redirected to the login page and also the user should have to go through authentication for logging in.
According to your description, I have created a new ASP.NET Web Application that doesn't require any user authentication, then I followed this tutorial for configuring my web app to use AAD login.
To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory.
When a user has logged in, you could find a cookie named AppServiceAuthSession as follows:
For a simple way to log out, you could just call https://{your-webapp-name}.azurewebsites.net/.auth/logout, this in-build endpoint would clear your browser cookies first, then redirect you to process the log out at Azure AD end as follows:
When the log out operation is finished at Azure AD side, the browser would redirect you to the post_logout_redirect_uri(/.auth/logout/complete by default) as follows:
In summary, please leverage fiddler to capture the requests when performing log out in your web app, and try to see whether the cookie AppServiceAuthSession has been removed after you logged out.
#Bruce . No i am not using any URL authentication rules . let me tell you whats happening step by step .
1)I have used the same url u have provieded as log out url .
2) Page is redirecting to the https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=https://mywebapp.azurewebsites.net/.auth/login/aad/callback . Its not getting redirected to the default logout page.
Image of cookies on the page after redirecting to logout url
3)If i navigate to the default logout page (/.auth/logout/complete) and click on "Return to website" for a brief moment it redirects to the azure ad login page //login.microsoftonline.com/dcc17943-54b6-4bc7-b284-71d39f03aeb0/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmywebapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=1ab2f820-2ca0-4a78-bfea-c849b91d339d&scope=openid+profile+email&response_mode=form_post&state=redir%3D%252F%26b2cPolicy%3D&nonce=d74940629d5e434eb6454648d33f371d_20170215104002 . Seems like it gets authenticated there automatically . And then redirects to the home page . I have deleted cookies manually too . Still the same result .
#Bruce I found something . If i manually delete all the cookies from chrome://settings/cookies and then redirect the page then it works . Can i do it programatically ? using javascript or C#
One reason that your post logout redirection is not working might be beacuse of this Azure AD behavior that caused issues in my case:
It doens't work for root accounts of the tenant, that is my personal
account, which created Azure subscription.
But it works for new accounts I created inside of my subscription.
I have implemented AAD authentication in one of my webapp, using OWIN. everything is working as expected on dev environment but it is not working on PROD. At login it goes to AAD page, it authenticate users and it redirects back to my registered page, but register page is not opening at all. In title it show working only. I am completely lost, how to resolve this, Please help me to resolve the same.
Thanks in advance!
I got the solution for this. The issue was - to store the Tokens the Owin context created a local db (AzureTokenCache.mdf and .ldf files) in App_Data folder. This uses SQL express. Now we all know that using PaaS we cannot use any Software. Hence my authentication failed every time saying that error connecting to database. I moved everything to SQL Azure and it worked for me.
I am running into an issue with logging into an ASP.NET MVC web site using Forms Authentication while running on Azure using a CNAME to redirect my domain to the url of the Azure application. For clarity on how I am setup the following blog post explains how I am setup. http://blog.smarx.com/posts/custom-domain-names-in-windows-azure
The problem:
When I enter my credentials and click submit on the login form, the login in the code successfully executes and redirects to the Home page however, it appears that the browser does not think it is logged in. I can tell this because a logged in user will only have the option to log out, but I am seeing the login link. So maybe it is my code right? Well maybe, and I hope it is but what I have noticed is that the problem only occurs if I am trying to login from my domain "www.MyDomain.com". If I use the Azure url mydomain.cloudapp.net, then the login in works fine. The other interesting part is if I login from mydomain.cloudapp.net and then navigate to www.MyDomain.com I see that I am logged in and everything works properly.
Please help.
Thank you very much,
Tom
It's hard to pinpoint your exact problem here. You can have a look at Lokad.Translate: it's a simple open source ASP.NET MVC app designed for Azure. It works with Forms authentication, and our implementation appears to be running fine with the CNAME redirects. You could try to reproduce our setup for your own needs.