ComponentSpace

Forums



ADFS IDP initiated SLO not working properly


ADFS IDP initiated SLO not working properly

Author
Message
nicabi
nicabi
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 27
I have a SAML local web app that acts as a Service Provider for an ADFS Identity Provider. Every IDP initiated SLO only signs the user out of the server, but leaves the user still signed on the service provider. What are the configurations that i should put in the Relying Party Trusts Endpoint for this to work? 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Your SP is responsible for the local login/logout of the user.
You need to configure a SAML logout endpoint for your relying party in ADFS.
The URL is the endpoint in your application to receive SAML logout messages.
We recommend specifying the HTTP-Redirect binding but HTTP-Post may be used instead.
In your saml.config you'll need to configure the SingleLogoutServiceUrl which is the ADFS endpoint that receives SAML logout messages.
The endpoint is the same URL as that of the SingleSignOnServiceUrl.
When ADFS initiates SLO, at your SAML logout endpoint you should call SAMLServiceProvider.ReceiveSLO to receive and process the logout request.
Your application should then logout the user locally before calling SAMLServiceProvider.SendSLO to create and send a logout response to ADFS.
The following section of code is from the ExampleServiceProvider and demonstrates this.
In this example, forms authentication is used but the logout method is application specific. 


SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP, out relayState);

if (isRequest)
{
  // Logout locally.
  FormsAuthentication.SignOut();

  // Respond to the IdP-initiated SLO request indicating successful logout.
  SAMLServiceProvider.SendSLO(Response, null);
}



You'll find more information in our ADFS Relying Party Integration Guide.
https://www.componentspace.com/Forums/9358/ADFS-Integration-Guides


Regards
ComponentSpace Development
nicabi
nicabi
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 27
Thank you for your response.
My application is mostly built based on the ExampleServiceProvider code and i've already followed all the steps from the Relying Party Integration Guide from the link you provided me, therefore i have the logout point in my SAML application already implemented.
My problem is that when i decide to "Sign out from all the sites that you have accessed." from the IDP, i am redirected to the ADFS Sign in page, where it says that i am no longer signed it. But i am never redirected to the logout point in my application, even though i added the link in the endpoint of my Relying party and I use the Redirect binding. 
As for the saml.config, currently i use for the SingleSignOnServiceUrl of my ADFS the next URL: 'https://www.mydomain.com/adfs/ls'. If i try to use it as SingleLogoutServiceUrl, the SP initiated signout will give me an error and in the logs i can see this message: "Received a LogoutRequest item that is not a NameID".
The SingleLogoutServiceUrl that works is "https://www.mydomain.com/adfs/ls/?wa=wsignout1.0"

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
ADFS requires the SAML logout request to include a NameID.
This originates from the NameID in the SAML assertion sent by ADFS.
Make sure that the claim rules for the relying party in ADFS include a mapping from the UPN or email address to the SAML NameID.
Once you have SP-initiated SLO working hopefully IdP-initiated SLO will work also.
The ...wa=signout1.0 is a WS-Federation endpoint and shouldn't be used for SAML.

Regards
ComponentSpace Development
nicabi
nicabi
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 27
I had only the email adress mapped to the SAML NameID, but i never gave my user an actual email. I added the UPN to the claim rules as you said and it works now. Thank you very much. Now it works for both SP- and IDP-initiated SLO. But i have another question, is it possible to map to NameID from more attributes? 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You can map whatever you like to the NameID but typically it's the UPN or email address.
The only catch, as you've discovered, is that if the mapping results in no NameID the logout won't work.

Regards
ComponentSpace Development
nicabi
nicabi
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 27
I see. Thank you very much!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search