Azure AD B2C automatic logout after session timeout - blazor-webassembly

I have a SPA on Blazor that is already migrated to B2C and login/logout functionality works fine.
I also created and run a SignUp_SignIn custom policy according to this MSDN article and everything seems to work fine.
After the session is expired, if I open a new browser tab, I am prompted to login again.
However, if I open my application, successfully log in into it via B2C, wait a configured amount of time and after the session time is expired it does not automatically logs me out and redirects to the login page.
So, the question is: Should automatic logout after session expiry be implemented on the application side or should I add any additional configuration to my custom policy?

So, I came up with the following solution
https://www.syncfusion.com/faq/faq-titlehttps:/www.syncfusion.com/faq/blazor/event-handling#:~:text=How%20do%20you%20initiate%20automatic%20logout%20when%20a%20user%20is%20inactive%20in%20Blazor%3F
And then redirect user to the application logout page

Related

WSO2 v5.9.0 SAMLS SSO with Service Provider (AD) 'user must change password at next logon' causes auth error instead of redirecting to .NET App

Hi have not been able to find an answer on stackoverflow or online hoping someone has experience of a similar setup.
We have .NET Core 3.1 user management application which obtains user information from a Windows 2016 Active Directory server (application access is done via the groups defined in AD) fairly rudementary the idea is:
Start application > Redirect to WSO2 (version 5.9.0) IAM Logon page
Attemp to logon with a valid AD user (which has been set to 'user must change password at next logon'..)
WSO2 appears to attempt to authenticate and then logon however fails
Kibana shows logon failed message for this particualr user
The WSO2 logon page shows an error message
However what we were expecting to happen was for a redirect to occur back to the .NET Core application and we customised the logon.jsp related pages as per the WSO2 Customisation guide.
WSO2 does not have an identity providers it uses a service provider with SAML SSO configured.
The custom logon.jsp page has some code that checks the incoming RelyingParty value and performs the appropriate redirect as required.
The issue:
The redirect is not working as expected instead of redirecting back to the .NET Core application that made the initial call to the WSO2 IAM the above occurs i.e. the logon page shows an authentication error.
What we would like for the server to do is redirect back the .NET Core application IF the 'user must change password at next logon' radio button is enabled on their AD account - this needs to happen at the server side i.e. WSO2 (well that's my limited understanding if you know better please do advise).
Ideal scenario:
.NET App startup > WSO2 logon page
SAML SSO flow > LDAP query to AD return user
detect the 'user must change password at next logon' is true and then redirect back to the .NET app where the app will take over query AD display the change password views (nothing special about these standard change-password actions)
.NET App > call WSO2 again perform valid logon return with SAML SSO response back to .NET APP.
Thank you in advance :-)
As per your issue description, I believe that you have made the following configuration in the AD.
I believe you have initiated the Admin Forced Password Reset flow by setting the "User must change password at next login" option in the AD for the user. But unfortunately, it is not possible as once the "change password at next login" is selected in the AD, it marks the password as expired and the WSO2 IS treats it as Authentication Failed (LDAP error code 49). Therefore, it will require API level customization of WSO2 IS basic authenticator and the user store manager to achieve your requirement.
But in the WSO2 IS Admin Forced Password Reset flow, the user will be given an OTP through email to log in to the IS and the password reset flow will be initiated as similar to your requirement without using the AD. Hence, it is recommended to use the Admin Forced Password Reset flow available in the WSO2 IS to reset the password of the user.

Integrating SSO with an Application with Native Authentication

I have been tasked with integrating single-sign-on for an existing application, so I've been working on a couple of demos. The first one was the standard demo for Spring Security and I got that working. Now I'm trying to do a proof-of-concept demo where I created a toy version of the application in question with only two screens: one for login, and one to display some information about the user that logged in. I want to integrate SSO with this application so that the user has two ways to be authenticated: either by entering credentials directly in the login screen or by a SSO SAML request...
So I copied over SAML libraries and configurations from the standard SSO demo into my proof-of-concept application, and I seem to have SSO working, albeit a bit too well, in that I'm no longer able to get to my login screen, i.e., I still want that to be the default behaviour for someone entering the base URL for the application. How do I have to configure my application to achieve this?
The way I solved the problem was by changing the Spring Security configuration so that instead of using the generic /** to require SSO authentication for most pages of the application, it nows only requires such authentication for a single HTML page, sso.htm. This "page" is really translated by the application as a request to a controller that handles the application-specific processing for an SSO request. The initial page for the application, redirect.jsp, now contains some logic to pick which page a user should be redirected to, based on whether he or she got to that page directly (i.e., by typing in the default URL for the application) or via a SAML message from a trusted identity provider.
Note: For this to work, the initial page cannot be designated in the Spring Security configuration as either a secured or unsecured page. If it were secured, then this page could only be accessed after an SSO authentication, so a user would be thwarted from doing a non-SSO login. If unsecured, then the security context would not be accessible from that page, so the page logic would be unable to determine if the user in question has SAML credentials and an SSO authentication request for the application could never be fulfilled.
Once the user has been authenticated, either by credentials entered in the login screen or by an SSO request, from that point on, the application's continuing authentication of that user to view its pages is the same, i.e., no further SSO authentication is done. But when the user logs off from the application (or is logged off due to a session timeout), a check is made then to see if SSO authentication was done for this user. If so, then in addition to being logged out from the application, a local SSO logout is also done for the user, i.e., the SSO authentication session for the application is terminated, but the user remains logged in with his or her identity provider. So such a user could log back into the application in question, either directly via the application's login screen or by having the identity provider issue a new SAML message.
Hope this helps someone else...

How could I refresh (or detect an expired) active directory oauth2 token in ASP.NET?

I am using azure active directory integration with an MVC application. So users get redirected to the azure login portal to enter their credentials. My application has many ajax requests which will not work when the authentication token is expired because the MVC application tries to redirect the API call to the AD login page.
When i refresh the page, any API requests will start to work again. I was wondering how I can detect on the client side when a session expires or how I can handle refreshing a token with API calls.
You could try to renew session by adding a hidden iframe in Layout.cshtml, which hits the new "forced" sign in route at regular time intervals (In sign in operation you could acquire a new access token
).
Please refer to article controlling a Web App’s session duration . In that article you could find a code sample about how to ensure that app’s session lasts as long as the IdP session(or at least approximate it) in ASP.NET MVC .

Using Windows Integrated Auth & Anonymous after jakarta redirect on IIS7

I have an application we bought that I need to integrate, and it uses jakarta connection to get to the application from IIS.
So, the basic operation is:
user goes to the url
Gets redirected to the application
SSO is enabled, so redirected back
to IIS for fetching of domain
credentials
Back to application
If username is blank show login
page, else let user in.
This is a simplification of all the steps, but the basic idea is here.
My difficulty is that I need both Windows Integrated Auth and anonymous on, as some users won't have credentials, and need to be prompted for a username/password.
I have looked at: IIS Windows Authentication before Anonymous already, but the user doesn't get to click on a link to decide. The application goes back to IIS looking for login.aspx and from there I want to either get their domain credentials or pass back to the application empty strings to signify that there are no credentials.
It seems this isn't going to be possible though as if anonymous is on it doesn't make the 401 request so the credentials aren't passed.
If I can't get this to work with just using an ASP.NET page, could it be done using an ISAPI filter, or a module?
UPDATE:
I found a possible solution, but I need to figure out how to get it to work, as my login page is on the JBoss server.
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx
Keep the Authentication in the IIS as the Anonymous.
When loading the home page check the ACTIVE DIRECTORY for the current logged in USERNAME if exist
provide the extra functionality to current user or else with fewer options.
Refer --> Active Directory Cheking

Passing existing cookie to Web service

HI have the following scenario:
1) i'm authenticated against some aSP.NET web site and my session time out expires in 24 hours.
2) after several time I would like to run query against asp.net Web Service located on the site using existing authentication.
What should I add to cookie Container? I how do sent existing cookie to Web service?
Thank you in Advance.
Danny.
A web service call is just an http call so it will come under the existing authentication.
I am assuming here that you are issuing this from the browser?
If not - e.g. if you are doing it from a console application, then you will have to interact with the site as if you were a user. Some more details are her http://www.ksingla.net/2006/08/sample_forms_authentication_test_in_csharp/
Basically you need to issue a post to login to the login page - track all of the cookies etc - and then start issuing your WS calls with those cookies.
Another option is here http://en.gli.sh/Blog/post/NET-Interoperability-Between-Smart-Client-and-Internet-Explorer-Using-Cookie-based-Authentication.aspx which is reading the correct cookie info from the windows machine you are on - relies on you being logged into the website and also trusted to be able to get to that file.
Alternatively you can look into implementing WSE or WCF solution.

Resources