ComponentSpace

Forums



SP-initiated SLO only logging out user at the SP that initiated the SLO


SP-initiated SLO only logging out user at the SP that initiated the...

Author
Message
raju
raju
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Awaiting Activation
Posts: 15, Visits: 60
We use our IDP to interop with various SPs.
I had active SP-initiated SSO sessions from salesfforce and Office365
Then I logged out at the salesforce , SP-initiated SLO arrives at the IDP:

public async Task<ActionResult> SingleLogoutService()
    {
    // Receive the single logout request or response.
    // If a request is received then single logout is being initiated by a partner service provider.
    // If a response is received then this is in response to single logout having been initiated by the identity provider.
    var sloResult = await _samlIdentityProvider.ReceiveSloAsync();

    if (sloResult.IsResponse)
    {
      if (sloResult.HasCompleted)
      {
       // IdP-initiated SLO has completed.
       return RedirectToPage("/Index");
      }
    }
    else
    {
      // Logout locally.
      //await _signInManager.SignOutAsync();                   <====== this one is commented out since we have our own middleware to take care of user auth and logout.

      // Respond to the SP-initiated SLO request indicating successful logout.
      await _samlIdentityProvider.SendSloAsync();
    }

    return new EmptyResult();
   }



But, await _samlIdentityProvider.SendSloAsync(); had not caused logout of user at Office 365.

Is my understanding correct to think that this method takes care sending mulitple  SLO towards all the SPs the user had active SSO flows with



Can you please help me, to see what are the usual suspects here.

Appreciate your time and help.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Your understanding is correct.
SendSloAsync will send a SAML logout request to the next SP or, if all SPs have logged out, a SAML logout response to the initiating SP.
This assumes that the SP configuration includes a SingleLogoutServiceUrl.
The problem with SAML logout is that not all providers support it fully.
From our experience, Office 365 supports SP-initiated SLO correctly but not IdP-initiated SLO (ie where it receives a SAML logout request).
What we see is that control passes to Office 365 (ie when the SAML logout request is sent) but the user isn't logged out and the browser remains at the Office 365 page.
This breaks the SLO flow.
In these circumstances the user might be better to simply close the browser.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search