ComponentSpace

Forums



SLO Integration in system without using ASP.NET Cookies


SLO Integration in system without using ASP.NET Cookies

Author
Message
ChristopherMWood
ChristopherMWood
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 1, Visits: 7
I'm working on getting SLO working for a website and have implemented the SSO aspect so far. I am able to get the Sp (my site) to redirect to the Idp no problem and then consume the response and get a user logged in using our own cookie authentication/session implementation. The issue is that when I go to use single log out, it complains in several different ways about the session not matching the login or something similar. Below is the breakdown of what I have tried and the results of my testing. There seems to be a lack of documentation and users submitting issues around this stuff so I'm hoping somebody can clarify what piece I'm missing.

Problem Setup: The website I am developing for has ASP.NET Session Storage turned off for several reasons so our initial requirement is that we are able to have a database manage this for us or for us to be able to hook into our own implementation of session storage. Below details the three different SAMLController.SSOSessionStore implementation I tried and the issues I had with each.

Attempt #1 (SAMLController.SSOSessionStore = new HttpSSOSessionStore();
As I understand it, this is the base default implementation that ComponentSpace suggests. When using this, since we have ASP.NET Session turned off we get the following error when trying SSO.
“There is no HTTP session state as ASP.NET session cookies are not enabled.”

Given our requirements, we believe this to make sense and decided to move on to a database solution.

Attempt #2 (DatabaseSSOSessionStore)
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore("System.Data.SqlClient", connectionString, "SSOSessions")
{
    SessionIDDelegate = delegate
    {
        return Guid.NewGuid().ToString();
    }
};

 We built the database table as specified in the documentation and also provided a delegate for the Session store that returned a new Guid as shown above. When testing we were able to see new session Id’s going into the table that ComponentSpace manages, but when initializing SLO, we get the following error.
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: 'There is no SSO session to partner {entity name} to logout.'

Since ComponentSpace seems to be the one managing the DatabaseSSOSessionStore, I’m not sure what I am doing wrong to confuse ConmponentSpace. Seems like I’m missing a setup step here to get ComponentSpace to be able to track sessions for a user using the database. I am stuck here on this solution and would like guidance going forward on best practices and if I’m missing a step of how to get ComponentSpace to play well with the database solution. When I got blocked I moved onto a 3rd implementation to see if I could get that working.

Attempt #3 (CustomSSOSessionStore())
My most recent attempt was to try making a custom Session store. This proved very confusing since the interface I inherited from, AbstractSSOSessionStore, does not make it clear how it is supposed to be used. Or at least I’m not sure how to interpret it.
public override string SessionID
public override object Load(Type type
public override void Save(object ssoSessionssoSession)

With the given overrides available, I don’t know how this should be used to manage the session for ComponentSpace. The Load takes a Type and returns an Object so when ComponentSpace asks to load the Session, what info from the Type can we use to identity the request to pull from our own DB as I assume this is asking. Then, for the Save, what form does the object parameter give that we can save correctly identifying a specific user on our system? I feel like I’m missing a piece on this one somewhere of how this is supposed to play well with a custom system. Any guidance here is greatly appreciated. Below is my empty CustomSSOSessionStore that throws the same error as Attempt 2 also added below.
public class CustomSSOSessionStore : AbstractSSOSessionStore
{
    public override string SessionID
    {
        get { return "123456"; }
    }
 
    public override object Load(Type type)
    {
        return null;
    }
    public override void Save(object ssoSession)
    {
    }
}

Error during SLO:
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: 'There is no SSO session to partner https://sts.windows.net/afd6b3e5-19f7-4c51-958d-0a5b8f97848a/ to logout.'


Conclusion: The first attempt above seems like a no go for the website due to pre-existing requirements. Any help I can get with Attempt #2 and #3 above would be great. Thanks in advance for your time!  

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The HttpSSOSessionStore is the default store and is based off the ASP.NET session.
Section 5.6.2 of the Developer Guide PDF describes the DatabaseSSOSessionStore although it doesn't provide a lot of detail around the SessionID property.
The SessionID must uniquely identify the browser session.
The following code demonstrates specifying the DatabaseSSOSessionStore but with a custom mechanism for returning a SessionID.
In this case it's using the ASP.NET anonymous identifier.

SAMLController.SSOSessionStore = new DatabaseSSOSessionStore()
{
  SessionIDDelegate = new SessionIDDelegate(SessionIDDelegates.GetSessionIDFromAnonymousID)
};



SessionIDDelegate is defined as:

/// <summary>
/// The session ID delegate returns a unique SSO session identifier.
/// <para>
/// The SSO session identifier must be unique for the user's browser session.
/// It's used to identify which SSO session information is specific to the user's browser session.
/// </para>
/// </summary>
/// <returns>The unique SSO session identifier.</returns>
public delegate string SessionIDDelegate();



One common way to support a SessionID is through a custom cookie whose value is unique per session.

public static string GetSessionIDFromCustomCookie()
{
  string sessionID = null;

  HttpCookie httpCookie = HttpContext.Current.Request.Cookies["saml-session"];

  if (httpCookie != null)
  {
   sessionID = httpCookie.Value;
  }
  else
  {
   sessionID = Guid.NewGuid().ToString();
   HttpContext.Current.Response.Cookies.Add(new HttpCookie("saml-session", sessionID));
  }

  return sessionID;
}



Let me know if you have any other questions.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search