I'm working on getting SLO working for a website and have implemented the SSO aspect so far. I am able to get the Sp (my site) to redirect to the Idp no problem and then consume the response and get a user logged in using our own cookie authentication/session implementation. The issue is that when I go to use single log out, it complains in several different ways about the session not matching the login or something similar. Below is the breakdown of what I have tried and the results of my testing. There seems to be a lack of documentation and users submitting issues around this stuff so I'm hoping somebody can clarify what piece I'm missing.
Problem Setup: The website I am developing for has ASP.NET Session Storage turned off for several reasons so our initial requirement is that we are able to have a database manage this for us or for us to be able to hook into our own implementation of session storage. Below details the three different
SAMLController.SSOSessionStore implementation I tried and the issues I had with each.
Attempt #1 (SAMLController.SSOSessionStore = new HttpSSOSessionStore();As I understand it, this is the base default implementation that ComponentSpace suggests. When using this, since we have ASP.NET Session turned off we get the following error when trying SSO.
“There is no HTTP session state as ASP.NET session cookies are not enabled.”
Given our requirements, we believe this to make sense and decided to move on to a database solution.
Attempt #2 (DatabaseSSOSessionStore)SAMLController.SSOSessionStore = new DatabaseSSOSessionStore("System.Data.SqlClient", connectionString, "SSOSessions")
{
SessionIDDelegate = delegate
{
return Guid.NewGuid().ToString();
}
};
We built the database table as specified in the documentation and also provided a delegate for the Session store that returned a new Guid as shown above. When testing we were able to see new session Id’s going into the table that ComponentSpace manages, but when initializing SLO, we get the following error.
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: 'There is no SSO session to partner {entity name} to logout.'
Since ComponentSpace seems to be the one managing the DatabaseSSOSessionStore, I’m not sure what I am doing wrong to confuse ConmponentSpace. Seems like I’m missing a setup step here to get ComponentSpace to be able to track sessions for a user using the database. I am stuck here on this solution and would like guidance going forward on best practices and if I’m missing a step of how to get ComponentSpace to play well with the database solution. When I got blocked I moved onto a 3
rd implementation to see if I could get that working.
Attempt #3 (CustomSSOSessionStore())My most recent attempt was to try making a custom Session store. This proved very confusing since the interface I inherited from,
AbstractSSOSessionStore, does not make it clear how it is supposed to be used. Or at least I’m not sure how to interpret it.
public override string SessionID
public override object Load(Type type
public override void Save(object ssoSessionssoSession)
With the given overrides available, I don’t know how this should be used to manage the session for ComponentSpace. The Load takes a Type and returns an Object so when ComponentSpace asks to load the Session, what info from the Type can we use to identity the request to pull from our own DB as I assume this is asking. Then, for the Save, what form does the object parameter give that we can save correctly identifying a specific user on our system? I feel like I’m missing a piece on this one somewhere of how this is supposed to play well with a custom system. Any guidance here is greatly appreciated. Below is my empty CustomSSOSessionStore that throws the same error as Attempt 2 also added below.
public class CustomSSOSessionStore : AbstractSSOSessionStore
{
public override string SessionID
{
get { return "123456"; }
}
public override object Load(Type type)
{
return null;
}
public override void Save(object ssoSession)
{
}
}
Error during SLO:
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: 'There is no SSO session to partner https://sts.windows.net/afd6b3e5-19f7-4c51-958d-0a5b8f97848a/ to logout.'
Conclusion: The first attempt above seems like a no go for the website due to pre-existing requirements. Any help I can get with Attempt #2 and #3 above would be great. Thanks in advance for your time!