ComponentSpace

Forums



Can SloResult be an incompleted response?


Can SloResult be an incompleted response?

Author
Message
JosephNewton
JosephNewton
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 5, Visits: 41
In the example identity provider project's SAML controller's SingleLogoutService method, no action is taken if the sloResult is an incomplete response (see comment in red). 


  public async Task<ActionResult> SingleLogoutService()
   {
    // Receive the single logout request or response.
    // If a request is received then single logout is being initiated by a partner service provider.
    // If a response is received then this is in response to single logout having been initiated by the identity provider.
    var sloResult = await _samlIdentityProvider.ReceiveSloAsync();

    if (sloResult.IsResponse)
    {
      if (sloResult.HasCompleted)
      {
       // IdP-initiated SLO has completed.
       return RedirectToPage("/Index");
      }
      // ***** is it possible to end up here? *****
    }
    else
    {
      // Logout locally.
      await _signInManager.SignOutAsync();

      // Respond to the SP-initiated SLO request indicating successful logout.
      await _samlIdentityProvider.SendSloAsync();
    }

    return new EmptyResult();
   }


Could you clarify the possible scenarios which could lead to an SloResult being received in this state (isResponse = true, hasCompleted = false) and any recommendations you have for handling them?

Thanks.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The short answer is yes it is possible for isResponse=true and hasCompleted=false.
This indicates a logout response has been received from a partner service provider but there are other service providers to logout.

For example, suppose the user is logged in at the IdP, SP1 and SP2.
The sequence will be as follows.
1. Call _samlIdentityProvider.InitiateSloAsync to send a logout request to SP1.
2. Call _samlIdentityProvider.ReceiveSloAsync to receive the logout response from SP1 (isResponse=true, hasCompleted=false).
3. A logout request is then sent to SP2 as part of the _samlIdentityProvider.ReceiveSloAsync processing in step 2.
4. Call _samlIdentityProvider.ReceiveSloAsync to receive the logout response from SP2 (isResponse=true, hasCompleted=true).

In the more common case of a single SP, the abbreviated sequence is as follows.
1. Call _samlIdentityProvider.InitiateSloAsync to send a logout request to SP.
2. Call _samlIdentityProvider.ReceiveSloAsync to receive the logout response from SP (isResponse=true, hasCompleted=true).




Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search