ComponentSpace

Forums



SAML Logout during ASP Session Timeout


SAML Logout during ASP Session Timeout

Author
Message
Sanberth Claracay
Sanberth Claracay
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 1, Visits: 9
Hello Guys,

In our project, It is required to logout SAML during Server Timeout (ASP Session Timeout). The first thing I tried is doing SAMLServiceProvider.InitiateSLO but upon this time of the call, SSO Information is no longer available. And then I tried doing the SAMLServiceProvider.InitiateSLO during Session_End before the ASP Session is gone, but the problem with this part is there is no available context already (null). I tried creating a dummy context but it also doesnt work and IDP doesnt respond from the request. We are using InProc and we really need to logout SAML on Server Timeout, Is there any way to do this?

Thanks,
Sonny

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.9K
By default, we store SAML SSO session information in the ASP.NET session. This information is required to support SAML logout amongst other things.
If the ASP.NET session has been torn down then the call to SAMLServiceProvider.InitiateSLO will fail as the SSO session information also has been torn down.
Even if you successfully call SAMLServiceProvider.InitiateSLO during the Session_End event, the subsequent SAMLServiceProvider.ReceiveSLO call will fail.
However, even though the ReceiveSLO call fails, the SLO has completed in that the user should be logged out at the IdP.
If this is acceptable, you could simply catch any exception thrown by ReceiveSLO and continue your processing as if it had succeeded.
The alternative would be to store the SSO session information somewhere else other than the ASP.NET session.
However, you then have the problem of maintaining this and ensuring this separate storage is torn down when the ASP.NET session is torn down.
This could add quite a bit more complexity.


Regards
ComponentSpace Development
Bagavathi
Bagavathi
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 2
ComponentSpace - 2/25/2016
By default, we store SAML SSO session information in the ASP.NET session. This information is required to support SAML logout amongst other things.
If the ASP.NET session has been torn down then the call to SAMLServiceProvider.InitiateSLO will fail as the SSO session information also has been torn down.
Even if you successfully call SAMLServiceProvider.InitiateSLO during the Session_End event, the subsequent SAMLServiceProvider.ReceiveSLO call will fail.
However, even though the ReceiveSLO call fails, the SLO has completed in that the user should be logged out at the IdP.
If this is acceptable, you could simply catch any exception thrown by ReceiveSLO and continue your processing as if it had succeeded.
The alternative would be to store the SSO session information somewhere else other than the ASP.NET session.
However, you then have the problem of maintaining this and ensuring this separate storage is torn down when the ASP.NET session is torn down.
This could add quite a bit more complexity.

Hi, I tried the above solution. I'm getting 'Response is not available in this context.' when SAMLServiceProvider.InitiateSLO is invoked on Session_End event. I guess there needs to be valid HttpContext available for SLO to be successful. Please advise if there is any alternate solution for performing SLO on Session Timeout.

Thanks,
Baga
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)ComponentSpace Development (3.2K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.9K
Hi Baga
Your understanding is correct. An HttpContext is required.
I suspect initiating SLO on the local session ending will be problematic and it's not something we advise doing.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search