Return URL from Azure AD login not working

We are having an issue with the Azure AD authentication. It happens when logging out from Azure AD and when re-logging in after session inactivity (expired session).

Being logged in (Azure AD) to our application, if the user hits the Logout link it is redirected to the configured Azure login page. If login is successful the flow is redirected to the referrer url.

Looking at the Users module I found out that this referrer url is saved in a session variable before redirection to Azure login page. Afterwards, when Azure login is successful and redirected back to our application, this session is no longer available - new session is created - thus its variables are emptied. As so, the flow redirects to the default return url which is the Users application - http://(...)/Users

This is the Logout flow:

User hits the Logout link
1. User is redirected to internal logout page - got from action User_GetUnifiedLogoutUrl (from Users module) - with referrer url in querystring
Entry point Logout in Users module is opened (DoSLOLogout page)
1. User session is killed in server
2. A SAML logout request message is created
3. The above request is sent to Azure configured logout page (ConfigIdP table, SLOUrl field) with referrer url in querystring
Azure AD logout page is opened and azure session ends
1. Flow is sent back to the referrer url (business page)
Security exception is thrown because user is not logged in
1. User is redirected to internal login page - got from action User_GetUnifiedLoginUrl (from Users module) - with referrer url in querystring
Entry point SAMLLogin in Users module is opened (DoLogin page)
1. A SAML login request message is created
2. Saves the referrer URL in session (Session.LoginDestinationURL)
3. The above request is sent to Azure configured login page (ConfigIdP table, SSOUrl field)
Azure AD login page is opened, requested username and passcode
1. Flow is sent back to Users
Entry point SSO in Users module is opened (IdP page)
1. Response is processed and validated
2. OutSystems login is done
3. Redirects to the URL saved in session (Session.LoginDestinationURL), or, if empty, to the configured LoginDefaultReturnUrl from database table ConfigInternal (Users module)

The problem is that in step 7c the session variable is already empty, eventually the value assigned in step 5b emptied - actually a new session was created. This does not happen every time, only when the session is idle for over 30 seconds...

For the cases that work fine the session identifier for step 7 is the same as for step 5 (keeps the same Session); when it doesn't work, these steps have different SessionId.

There are evidences of this in SAML message logs. When it works, LoginResponse messages have the referrer url in Related URL record.

As a quick fix I obviously tried to update table ConfigInternal (OSUSR_[...]_CFGINTRN) but every record has a hash protection, and couldn't find any UI for it.

Does anyone have or ever had the same problem?

30 Oct 2020

Joao Melo

Solution

A new version of Users module fixes this issue. To be included in a future platform release.

30 Nov 2020

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines