SAML 2 Single Signon question

Hello,

Referring to a previous post regarding the SSO method I had to implement (currently using WiseJ 1.x):

1) using an ASPX page to accept the SAML post and extract the SAML tokens I need to authenticate a user from a customer.

2) encrypt some data from the SAML post into a string and set a cookie.

3) in the WiseJ login form – read the cookie

4) authenticate the user against the database and if valid – startup the WiseJ session

5) Delete the cookie with Application.Cookies.Remove(“AuthCookieName”);

So – this all works except there are 2 issues:

Looking in Chrome developer tools – the cookie is not deleted. Even though the data is encrypted within it I don’t like the idea that it is hanging around visible in developer tools and possibly on the user’s machine for inspection.
When I log out of the WiseJ app – it refreshes my ASPX page – which attempts to login again. I tried the !Postback method on the page load but this is not a Postback so it passes that check. How can I ignore the refresh of the page and not attempt the login again ?

General

edmond girardi asked Mar 11, 2021 - 12:31 pm
last edited Mar 11, 2021 - 12:40 pm

You must login to post comments

Answers (2)

For the cookies issue, just had a similar request. I think the problem is that the cookie is set using http-only then Wisej cannot remove it using the WebSocket response. But you can use the Http context in the first request since it’s http.

This executed in Program.Main deletes an http-only cookie.

System.Web.HttpContext.Current.Response.Cookies.Add(
new System.Web.HttpCookie(“Test”) { HttpOnly = true, Expires=DateTime.Now.AddDays(-1) });

Luca (ITG) answered Mar 12, 2021 - 4:12 pm

You must login to post comments

The cookie should be deleted, unless the url doesn’t match. Can you reproduce in a small test case?

In Javascript in Chrome (F12) put a break in Wisej.Core.setCookies() and see if it tries to set the cookie to delete with a date of “; Expires=Thu, 01 Jan 1970 00:00:00 UTC” which is the only way to delete cookies.

In alternative try Application.Browser.CookieStorage.RemoveValue(“cookie name”); In this case the break on the client can go to Wisej.Core.removeStorageValue().

Luca (ITG) answered Mar 11, 2021 - 1:48 pm

- edmond girardi
- Mar 11, 2021 - 10:58 pm
What about the issue with the ASPX form attempting to login again when the wiesj session ends ? any way to avoid that ?
- Luca (ITG)
- Mar 11, 2021 - 11:30 pm
What do you want the page to do when the session ends? If you have autoReload:true in Default.json it will refresh the browser. Otherwise wisej doesn’t do anything. You can always override the client behavior using /// Wisej.onExit = function() { /// // this is the default implementation /// // when AutoReload is set to true. /// location.reload(); /// } ///
- edmond girardi
- Mar 12, 2021 - 2:34 pm
Got it. Ill have to figure out when they hit the SSO page and not the normal login i think i want to do a server redirect to the standard WiseJ url and leave them at the login page so they know they are logged out.

You must login to post comments

Your Answer

Please login first to submit.

Download Wisej.NET datasheet Printable version (pdf)

Ask questions and get help on the Wisej.NET Forum

Explore Wisej.NET online documentation