ComponentSpace

Forums



Google Signout causes error


Google Signout causes error

Author
Message
Kiran
Kiran
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 6, Visits: 20
Hi Team,

I am getting the below error while i sign-out from google or from identity provider.



Below is my saml configuration

<PartnerServiceProvider Name="google.com/a/mydomain.com"
          WantAuthnRequestSigned="false"
          SignSAMLResponse="true"
          SignAssertion="false"
          EncryptAssertion="false"
          NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
          AssertionConsumerServiceUrl="https://www.google.com/a/mydomain.com/acs"
          SingleLogoutServiceUrl="https://mail.google.com/a/mydomain.com/?logout"
          PartnerCertificateFile="mycert.cer"/>


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Google doesn't support SAML logout.
The sign-out URL you configure in Google is where it will redirect to. This is a simple HTTP Get rather than a SAML logout request.

Regards
ComponentSpace Development
Kiran
Kiran
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 6, Visits: 20
ComponentSpace - 9/28/2016
Google doesn't support SAML logout.
The sign-out URL you configure in Google is where it will redirect to. This is a simple HTTP Get rather than a SAML logout request.

So what is the solution for this?
I need to log out from google and identity provider when I try to log out from google.

Below is my settings ate google admin console



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
When a user logs out from Google, Google will redirect to the sign-out URL you've configured.
You can then logout the user from the identity provider as well.
This doesn't involve SAML but instead is simply a redirect to your application.

Regards
ComponentSpace Development
Kiran
Kiran
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 6, Visits: 20
ComponentSpace - 9/28/2016
When a user logs out from Google, Google will redirect to the sign-out URL you've configured.
You can then logout the user from the identity provider as well.
This doesn't involve SAML but instead is simply a redirect to your application.

My google settings are


public virtual ActionResult SLOService()
   {
    // Receive the single logout request or response.
    // If a request is received then single logout is being initiated by the service provider.
    // If a response is received then this is in response to single logout having been initiated by the identity provider.
    bool isRequest = false;
    bool hasCompleted = false;
    string logoutReason = null;
    string partnerSP = null;

    SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP);

    if (isRequest)
    {
      // Logout locally.
      //FormsAuthentication.SignOut();
      SignoutManager.SignoutIdentityProvider();

      // Respond to the SP-initiated SLO request indicating successful logout.
      SAMLIdentityProvider.SendSLO(Response, null);
    }
    else
    {
      if (hasCompleted)
      {
       // IdP-initiated SLO has completed.
       Response.Redirect("~/");
      }
    }

    return new EmptyResult();
   }


The above is my code. Could you please let me know what change I have to do?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Remove the calls to SAMLIdentityProvider.ReceiveSLO and SAMLIdentityProvider.SendSLO as this isn't a SAML logout message exchange.
Google will redirect to your page (ie an HTTP Get) rather than sending a SAML logout request.
Your code will be something like the following:


SignoutManager.SignoutIdentityProvider();
return RedirectToAction("Index", "Home");



It's really whatever makes sense for your application.
You probably want to logout the user locally and then redirect somewhere within your application.

Regards
ComponentSpace Development
Kiran
Kiran
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 6, Visits: 20
ComponentSpace - 9/28/2016
Remove the calls to SAMLIdentityProvider.ReceiveSLO and SAMLIdentityProvider.SendSLO as this isn't a SAML logout message exchange.
Google will redirect to your page (ie an HTTP Get) rather than sending a SAML logout request.
Your code will be something like the following:


SignoutManager.SignoutIdentityProvider();
return RedirectToAction("Index", "Home");



It's really whatever makes sense for your application.
You probably want to logout the user locally and then redirect somewhere within your application.

Hi Team,

Thanks for the relpay

Have modified the code like below



public override ActionResult SLOService()
   {
    SignoutManager.SignoutSolusIdentityProvider();
    if (SAMLIdentityProvider.IsSSO())
    {
      // Request logout at the service providers.
      SAMLIdentityProvider.InitiateSLO(Response, null);
      return new EmptyResult();
    }
    return RedirectToAction("Index", "Home");
   }


But I have a new problem now. 
I have another SSO configured for Office 365 which has another endpoint for SSOService (saml/office356/SSOService) and SLOServive (saml/office365/SLOService)
For google I have another endpoint SSOService (saml/google/SSOService) and SLOServive (saml/google/SLOService)

When I log out from google (SP initiated log out) I am not getting logged out from Office 365.
But when I log out from Office 365 I logged out from goggle.

What could be the issue? Let me know if you want my code snippets or saml configs







ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning this forum post.
I'd like to see both scenarios for comparison.
If you could send separate log files identifying which is which that would be very helpful.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search