Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Claim Issuer not persisted when using Server Side Sessions #1546

Open
dheardal opened this issue Apr 24, 2024 · 4 comments
Open

Claim Issuer not persisted when using Server Side Sessions #1546

dheardal opened this issue Apr 24, 2024 · 4 comments
Milestone
is-7.1.0

Comments

@dheardal
Copy link

dheardal commented Apr 24, 2024
edited
Loading

Which version of Duende IdentityServer are you using?
7

Which version of .NET are you using?

8

Describe the bug

When using Server Side Sessions, the issuer of the claim is not persisted, which means on rehydration the issuer is set to LOCAL_AUTHORITY which is the default for a claim.

This causes issues with the Sustainsys.SAML2 Single Logout as it uses the issuer from the claim in order to redirect to the identity provider. See https://github.com/Sustainsys/Saml2/blob/3780695449868fdeb708f0665eadd042a1a27153/Sustainsys.Saml2/WebSSO/LogOutCommand.cs#L168

To Reproduce

Setup identity server that uses Sustainsys.SAML2 as an external identity provider with single logout enabled and enable server side sessions.
Then attempt to logout.

Expected behavior

The claim should be rehydrated with the original issuer in order to allow single logout.

--

The question is, was the omission of persisting the issuer a design choice and this should be handled in a different manner?
@dheardal dheardal changed the title Issuer not persisted when using Server Side Sessions Claim Issuer not persisted when using Server Side Sessions Apr 24, 2024
@AndersAbel
Copy link
Member

Thanks for opening this. As the author of the Sustainsys.Saml2 package I can for sure confirm that the library expects the issuers to be persisted. I will have to discuss with my Duende colleagues if it is best to solve this on the IdentityServer side or if the Saml2 library should change. The LogoutNameIdentifier is already a structured string so the issuer could be moved from the Issuer property and into the payload.

@brockallen
Copy link
Member

I think there would be a very easy fix -- when we persist, include the issuer if it's not the default ("LOCAL AUTHORITY") and then when deserializing we see if that's non-null and set it into the claim when it's created. @AndersAbel perhaps you can investigate if this would be viable? I'd like to not store the default if possible, as that's additional bloat.

@AndersAbel
Copy link
Member

@dheardal We discussed this and as Brock implies above, this is a fix to be done on the Duende side. This time it was the Sustainsys.Saml2 library that failed, but it could be anything that relies on the issuer being persisted. We want the change to server side sessions to be transparent. That means we should store exactly those properties that the cookie handler normally does - no less, no more.

@brockallen I'm transferring this issue to the IdentityServer repo and assigning it to me.

@AndersAbel AndersAbel transferred this issue from DuendeSoftware/Support May 2, 2024
@kevinmcody
Copy link

Other than turning off server side sessions, is there a workaround for this that would still allow SAML2 Single Logout?

@brockallen brockallen added this to the 7.1.0 milestone Sep 17, 2024
@damianh damianh removed the bug label Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
is-7.1.0
Development

No branches or pull requests
7 participants
@damianh @brockallen @josephdecock @AndersAbel @RolandGuijt @kevinmcody @dheardal