我必须将应用程序连接到我公司的ADFS服务器。我正在为SSO和SLO使用Passport-saml。 SSO有效,并且SLO仅在首次注销时有效。每当用户注销时,我都在尝试使SLO正常工作。
我一直在高低寻找这个问题的解决方案,但是它回避了我。这是详细信息:
进一步检查显示,ADFS没有清除其cookie,因此ADFS会话保持活动状态。
我使用Firefox的SAML查看器插件来观察正在发生的事情,这是我的发现:
成功注销时:
HTTP:
获取https://myadfs.org/adfs/ls/?wa=wsignout1.0 HTTP / 1.1主持人:myadfs.org用户代理:Mozilla / 5.0(Macintosh; Intel Mac OS X 10.14; rv:66.0)Gecko / 20100101 Firefox / 66.0接受:text / html,application / xhtml + xml,application / xml; q = 0.9,/; q = 0.8接受语言:en-US,en; q = 0.5接受编码:gzip,deflate,br引荐来源:https://example.com/dashboard/data连接:保持活动状态饼干:MSISAuth = AAEAAMVBaN7qo03wm / 4jDH9e / tZ6ih6HN ++ ++ 2S7c7c0aXHK1RYIZ5 + 4Y7pf3g4v OdRUzcJgOROfZkXx0tSEeCOfJFMluodJiSYsESiJnidVcR7Os / iHkNqIp88qGG7UZj + l8NYyvsO / 7soTyQGkbMqoI0Z + 0Z + xXz2CZgOxsqWcjJ3FmTR32bsMR8Lra77XI2KyKycFiNYdYJ2dSKC7yBdxBRKHB7LAs4DOJKAtOt // IWspe9zPbju + x6chgP0dKToyfqX6m4EwlQnbHG4hmCImtXrEDytx1rbuLiBC7N56Y9WmGBTht5vgYvVEoA2cRqBbNYK + HoonL6 + oBIJdba6 + XZ2lBQsO / yJowvaHxPM8wgwLBknSt39RswaSdGjrI18CcgABAAB / eeLBPuQ9dk6ItCeTem38XttX / PQPLi52Ts + ZQGYHxs4VsO1EMe7EgMGYThPGlMCDcmS9ouXOSh6yW / LiL1jTuhc2 / jhq3X0jWY + XPOSXtp81mineHeNv8SWsFjggzh5AymLtPPrPUYT6ihj9fcbJymqatsZMI5B5h0gxS2LaUUWjJyRxpMIyQXEpLSx1mxU5psQrj5 / nGpOiq98uy8HE4kJp + Ey9uugSZQXhn9NwY + EqqmWxf6LDrCaeMLFDIX6mlgqu2eTLrUA9gNIJ4kSOC / 5Rtw4JQVJpSeQuMom6kCHFEvZo / 57BIhGkgWR8vNNCguHzZeB + as0xxfxmmb9SgAMAAMVFqaMXn0uG8 + IGJIfxdIIoJ7EsLqV7so7WnFT / 4OxfLzsXlO2flq0vcEbasLuLoqhGFaOuy1dkq / ft9se6Pv6rQfH7Esk / aMey / cKObBUPkcZAUFtQxXD7MSLScsiVnq3hHjrpZzEnMTToVkA9Zjv3i72Wv20tdE658 + 7O1olibavPPIT7Z5syoQNa1rjOAaXcPlM5hbbjXm7BiXx37ZEnvxwpY1Mf4Yocvgd9kMoApciDB2c sbTf4GEic7MKeAI2G5KpwArY7g + zt4BJud + F / xnyuwVPpwPVEiNbHQnAogh5NoMDwRx + macTdkHku4AdNvruS / 4L / aUHcEhPlhu3j / 7r9kP1EnRso12NP1AWipsGlmpdAjoIXfK0 + NBqJnDq0KwSEcvJ38OI6Z1FVkRWySi8br8pjtcytFhdh5RTkpD8FVQZ / RnGC1XE4q4IJhxMBlE1Kd8PNh3p85qpoX6r2I36a3knwK2dkm7pb0XNVwhxhC5DGpaB2iNo86CGi + BX4rICBGkNgyrOW / aWKpIhLu0bo1IDVQJw7MORdROJJk / o81E15HuC2g4r3ch + IvZOXKfAenGYM2mYrgnSRHLD0p7KsDN0vuU3IdLXAL5 / D5ezr3WQFDFXPpRJyQ + qfx8kyUCe / vtvEVaNezHzOKosQsNGwSvp + lHrEGA9LLYM8RkU / Vwshgkeq2H8MoyuDRaxgOoudNGOmvwNfMp9BoOsz8OCDA5R2BB + JXzsEkSpNYebJK + VWm5wOcYnJ2j9y1OKjRU1ICRtsSPG5kLWmYUt8hHsswzrj4UAxpks + Dn2S09YzeOudC5ss5hmTM / UeVG3r3kJ9 + Ad7716V9g7016u + XGhfSWty8EPxVAg0qV9wwAIk + FliWFdF1OLY1RODcsS3swqYfMrBWWdULVNl5d36ycFGucaP893o4Q / im7tx2 + 588lfvPbZO + DkP40MHP9Hwe ++ ra6kDiQx5si4M16zYIMmxa4nq6XVcr2hFlqbsLQjhIqkiFOCkt9LNRdKNZlghQkspUH44qLBq4sTHK0iD13FFmBs5rEE1CWa89oCELhea / Z9hPEtjPpC3Q52cAXBgbOJCTr6OYFYfQKbATqHdTU09 / nJOafMK5ID1pf7pmBL + ZTH7Kl64lxhyO / 9F84t47TctQhhFqxgsIxmv + ZVHajanNl4E0gXqJ0ULsY2h; SamlSession = aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZyZGYWxzZSZDdWtyYXNTRCYmJiYmXzFkZjY4M2RhLTM4NTktNDVjNS04ODNkYAY3Nm; MSISAuthenticated = NC8xNi8yMDE5IDExOjI2OjI4IEFN; MSISLoopDetectionCookie = MjAxOS0wNC0xNjoxMToyNjoyOFpcMQ ==升级不安全请求:1
找到HTTP / 1.1 302内容长度:0内容类型:text / html;字符集= utf-8位置:https://example.com:443/login?SAMLRequest=lZLfa4MwEMf%2fFcl71KjxR7BCqS9C18I69rCXEjXpZJq4XCz982crY6yMwh7vuO9973N3OfChH9lWn%2fRkn8XnJMA6VblCR%2bpzQqWUOKWE4igMUlz7nGKexHUYJdSnKUXOqzDQabVCgesjpwKYRKXAcmXnlE8y7EeYxC%2bEsCBmYeamCX1DTjm7dIrbm%2fLd2hGY58mxaU0rzu6gpeysdbU5eb0%2bdQo5G61AXHtORjHNoQOm%2bCCA2YYd1k9bNtuzZilik4JRNJ3sRIucnbZ7tTdraYW5HykkPyNdhl4Bu23jsctotNWN7lGR33DNIn0s4gDCXHFRccWdac04Auh7XN5K8ObSc9cI8KyZwObeYlPku7ltVf7TbjN9GA6HMvcWeZEvFz8IuB6uUq24FEfSyjgNW47DlGY4og3F6RxjP4nbmid1kCV17v2h%2fE7%2beqDiCw%3d%3d&Signature=pT%2fSUpslARJlvOCah5VzZk4stZLIREyHmUFOO4siHUbkL5eJG4QsfYj9Pq%2bwxnOaPaevYkmiXq0rft3drTzJHspns9UbucyYQvEaSAZVmRTTyfPC3Z0EgVGSvtr0JL3nuDPsq2IfbToseuQQtJFsA%2b94D8KtaLjtUJxiMcQMHyg2yR00Ac3NGt9AsRg1X73X%2frt0XZDN9bSt4R8t%2bt2Yl2UsZsL4GHTGk7RbN3AUrYHsLtKeuN07umXqX3otVtHo%2f9tx2w2h1glYycYbFCk%2bWjox8Mej%2fiLLkpAhw9EXlhiTGrEJ2%2bcYvnQxGokOsz2vXEOoc3%2fhle27LuTPFMN9yw%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256伺服器:Microsoft-HTTPAPI / 2.0P3P:ADFS没有P3P政策,请联系您网站的管理员以获取更多详细信息Set-Cookie:SamlSession =; expires =星期一,2019年4月15日11:26:39 GMT;路径= / adfsSamlLogout = aHR0cCUzYSUyZiUyZnJwcHNzb2Rldi5tb2ZmaXR0Lm9yZyUyZmFkZnMlMmZzZXJ2aWNlcyUyZnRydXN0Pz8 / aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZGYWxzZSZDdWtyYXNTRCYmJiYmXzFkZjY4M2RhLTM4NTktNDVjNS04ODNkLTA3NmRiYTdiMjk3Yj9fNTBhMTVmZmYtODUxNS00MzI4LWIwYTUtYTc2YjM0NzUwNTg1P3VybiUzYW9hc2lzJTNhbmFtZXMlM2F0YyUzYVNBTUwlM2EyLjAlM2FzdGF0dXMlM2FTdWNjZXNz; path = / adfs; HttpOnly;安全MSISAuthenticated =; expires =星期一,2019年4月15日11:26:39 GMT;路径= / adfsMSISAuth =; expires =星期一,2019年4月15日11:26:39 GMT;路径= / adfsReturnUrl = aHR0cHM6Ly9ycHBzc29kZXYubW9mZml0dC5vcmc6NDQzL2FkZnMvbHMvP3dhPXdzaWdub3V0MS4w; path = / adfs; HttpOnly;安全MSISSignoutProtocol = U2FtbA ==; expires =星期二,2019年4月16日11:36:39 GMT; path = / adfs; HttpOnly;安全日期:2019年4月16日,星期二11:26:39 GMT
SAML:
<samlp:LogoutRequest ID="_50a15fff-8515-4328-b0a5-a76b34750585"
Version="2.0"
IssueInstant="2019-04-16T11:26:39.875Z"
Destination="https://example.com/login"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
NotOnOrAfter="2019-04-16T11:31:39.875Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myadfs.org/adfs/services/trust</Issuer> <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">USERNAME</NameID> <samlp:SessionIndex>_1df683da-3859-45c5-883d-076dba7b297b</samlp:SessionIndex> </samlp:LogoutRequest>
随后失败的注销:
HTTP:
获取https://myadfs.org/adfs/ls/?wa=wsignout1.0 HTTP / 1.1主持人:myadfs.org用户代理:Mozilla / 5.0(Macintosh; Intel Mac OS X 10.14; rv:66.0)Gecko / 20100101 Firefox / 66.0接受:text / html,application / xhtml + xml,application / xml; q = 0.9,/; q = 0.8接受语言:en-US,en; q = 0.5接受编码:gzip,deflate,br引荐来源:https://example.com/dashboard/data连接:保持活动状态Cookie:MSISLoopDetectionCookie = MjAxOS0wNC0xNjoxMToyODoyNlpcMQ ==; SamlLogout = aHR0cCUzYSUyZiUyZnJwcHNzb2Rldi5tb2ZmaXR0Lm9yZyUyZmFkZnMlMmZzZXJ2aWNlcyUyZnRydXN0Pz8 / aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZGYWxzZSZDdWtyYXNTRCYmJiYmXzFkZjY4M2RhLTM4NTktNDVjNS04ODNkLTA3NmRiYTdiMjk3Yj9fNTBhMTVmZmYtODUxNS00MzI4LWIwYTUtYTc2YjM0NzUwNTg1P3VybiUzYW9hc2lzJTNhbmFtZXMlM2F0YyUzYVNBTUwlM2EyLjAlM2FzdGF0dXMlM2FTdWNjZXNz; ReturnUrl = aHR0cHM6Ly9ycHBzc29kZXYubW9mZml0dC5vcmc6NDQzL2FkZnMvbHMvP3dhPXdzaWdub3V0MS4w; MSISSignoutProtocol = U2FtbA ==; MSISAuth = AAEAAFOnxdlEvO8Le / Gti39Bx6BFj1cEJ39 / A6ogocbLbXlBnq07uT1v + MuAzZs0NqyB1Wmqx3O8oTwPancFPCEFrQbngzsvsWI / oAXmuDih8uBG9MVPfstAu / cFPXL95V2IIUjX6r3Tv08FqipxW / 1CHa7QM8XvXU5a516zFsZTaxke + ITD3B + nGPsuQY + oVG47NhtoMHmCrbShjOBd9Wn6Q5FzDqbHlxD / 5czDUXixYf8gg + MTNq9W + oT5J7TF6NaBb7o1QojY7c8UoJ4fQONwlMNE17TgGVomqN4N9qVPTShGSaTlM8C + er9SOWQiALfZHvH2sv8N0AIn9qpivuCzw9WlBQsO / yJowvaHxPM8wgwLBknSt39RswaSdGjrI18CcgABAAAAz9AfrV1onudL + YY + 0zL4vWeCboTECwksETafeI44 / o0n0DEBx8kVGELmmPqSKD216OFB + p4k0K // HTW + YnRiuFpk1dAnN + dmwirgwzohFU1A3lWq0pQcHFyui1xs1UHnzDZokvK + 7r859oZP0XZ4pGGTZsjWyc2B32FgwfvpiKYKDsWALpajW9FRDnt1VnGyDSzsN3V6vQHmKIEBZn5wb3 + b3DtB9hV / ZssxiE7Xf8V8l + 144wE71YH4ETNbcX0VXKNlkL9x5R + EThMlzyNl2tAcGWSk + 3xM3lhfTm3 + 8y5GEP3rtJjLQGZSPKUljPcZM / MU3EX3YRrCkYsAyhgpgAMAAKGsYkEEca74go1dVexUCjdky1zUJMng5a / ZmKCRWTYsPT2DCjR579a0Hr69s8nl36p8EgyqnyXPm / uiFp + LPp1CuCCuXe / QYFoySixCOEcJsnRbikBEAP / Bpj5UUifnqgyO7MHH1GQiXeOlw2llsPu7rdNiEqB4X6Hqhnn6xaasl + 5iqvNkZSTi8DSQc / 24MRT4VsAcJcO7eqxjQBluWr2cyvdr9pn4GigQ05WaXWfogo3BwPJzLUo + NNG vLHfxyn1wDmUYghc + OXS + vJwTadiiSDDzrcTVTuVxw2xj6OVi8DXbyRii5 + VTKolRK0qCa / 4C4BCzOOGUkooktX / GecV6eNuk8xOdLsiybY9Ah5Z2WVgraDntw /瓦特/ PP / ij4v0jDLvDQjU + BIfGOpeV1jcG9VDObir5GYGfOm59DtlRpoy / kpjiDLWI8EE75DEFlhomeae0v4xBQ6XqgVd5lEcA2DTm / 3Ophg31FA2M5J65yE4t7W7inIC4XjMWFOu3GCMse7ERYyFbq59vf + iSs6eyev7wXidvAekALmq6Gk2Ths2JR1TbV27E2 + kgGhmvlgiShx67E9s2wrBfPKvV7 + IMS9Xe1YPKpZAlfCwnkbQNonqAMQH5LsHq1K7DWrNTcon10TiOtlMbzin8FtNphcnChHYmBbDxpqrf5xwwYXbyznQnMfeDnjN7aPo909gwhfUGNltLTOZ81m6k9c3Z0C8ugvL61bbw3Ku42OZiOnoVcEYjf50bMWZQl / hUMlRp + uHVNhK41z6U2O9Ph7S4ZI4wg7z33Z + VCP + 08HpMRqrX155atJYVX73mnr3 + J4rKvyJvjglb9aA333MUOC7iGMDDNImibvofyhbqK3VO + zqyPYj0R4OvhnA9RlvV10MWDhn5qnVevA5Oo1MQNPGnTLtfRZXpB8oa2bZZMh62XO4a5gZ / ioNsigiDAFKbQnx0wvBTb0uqYSZpfxoA4K2o87swOYB81FTkQNBnNZG171szH89jijOuEAI7hAWdAnM2LjagGZwWpuF2yHbJqQqsGzjvnqbQ6yMTvaEbkooSelFEBeRW2Gg5rGAjj5Pvs + T0ljhVlby6FfFKJ71NDBvn / 7PGIglARSZqUZcAuthlhr8pta11WnhsfnyumvLfWvOZHZZjWslKMLBpGEBe1WgcYBUBYUrUeHmCqDRy5Zc4KJXwGrY; SamlSession = aHR0cHMlM2ElMmYlMmZmcGNkcmRldi5tb2ZmaXR0Lm9yZyZGYWxzZSZDDWtyYXNTRCYmJiYmX2NlNDAwODQxLTA2ZDItNDI3Ni05MTRLLWUZNZ = L; MSISAuthenticated = NC8xNi8yMDE5IDExOjI4OjI2IEFN升级不安全请求:1
HTTP / 1.1 200确定缓存控制:无缓存,无存储语法:无缓存内容长度:8957内容类型:text / html;字符集= utf-8过期:-1伺服器:Microsoft-HTTPAPI / 2.0日期:2019年4月16日星期二11:28:45 GMT
SAML:
未发送SAML
您将看到,成功注销后,ADFS会将cookie设置为清除它们,而失败注销则不会。另外,失败的注销不会发送SAML注销请求。
最后,当我清除浏览器中的cookie时,第一个登录/注销会话将再次按预期工作,而所有后续注销均将无法进行。我可以看到Cookie保留在后续注销中,因为ADFS没有收到SAML注销请求。我只是不了解在第一次注销时如何工作,而在随后的注销中却不知道。我已经检查过护照saml的代码,但似乎找不到问题。
任何帮助都会很棒。
这是我的password.js设置:
const fs = require('fs');
const passport = require('passport');
const SamlStrategy = require('passport-saml').Strategy;
require('dotenv').config();
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
passport.use(new SamlStrategy({
entryPoint: 'https://myadfs.org/adfs/ls',
issuer: 'https://example.com',
callbackUrl: process.env.NODESERVERURL + ':' + process.env.PORT + '/authenticate/adfs/postResponse',
privateCert: fs.readFileSync(__dirname + '/private/keys/fpcdr.key', 'utf-8'),
logoutUrl: 'https://myadfs.org/adfs/ls/?wa=wsignout1.0',
signatureAlgorithm: 'sha256'
},
function(profile, done) {
const username = profile.nameID.toLowerCase();
const email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'].toLowerCase();
const sessionIndex = profile.sessionIndex;
return done(null, {
username,
email,
sessionIndex
});
})
);
module.exports = passport;
passport callbackUrl:
module.exports.adfsAuthenticate = function(req, res) {
const email = req.user.email;
const username = req.user.username;
if (process.env.UAT === 'true') {
res.status(302).redirect(LANDING_PAGE_REDIRECT_DEV);
} else {
res.status(302).redirect(LANDING_PAGE_REDIRECT_PROD);
}
};
adfs注销:
module.exports.logout = function(req, res) {
req.logout();
req.session.destroy(function (err) {
if (!err) {
res.status(200).clearCookie('connect.sid', {path: '/'}).json({status: "Success"});
} else { alert(err); }
});
};
我观察到有一个cookie会存储在名为“ MSISSignoutProtocol”的浏览器中,如果该cookie存在,则注销将无法在后续请求中正常工作。