ComponentSpace

Forums



ASP.NET and SLO


ASP.NET and SLO

Author
Message
BloodBaz
BloodBaz
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 13
Hi Guys,

I'm struggling with getting a robust logout process in place for my SP application when a user logs in using SAML SSO.

Our Service Provider application has a "logout" button.  Before we introduced SAML SSO as an optional login mechanism for some of our clients, when the user clicks Logout, we simply performed these steps:

context.Session.Abandon();
FormsAuthentication.SignOut();
RedirectToLoginPage();



For SAML SLO, the process is as follows:
  • check that CanSLO() returns true, 
  • if it does then call InitiateSLO() which populates the response object 
  • allow the page to end and the user's browser in order to redirect to the IdP and log out.

So here's my problem:

I can't run my ASP.NET sign out code first, followed by calls to CanSLO()/InitiateSLO() as the session object will have been disposed and CanSLO() then returns false and InitiateSLO() does not work.
I can't run the CanSLO()/InitiateSLO() code first, as this ends up redirecting to the IdP and the IdP displays a "Your are now logged out" page with no return to our application and therefore, no mechanism to sign out of ASP.NET Forms.

Either way, one of the two sessions still exist and the user can effectively log back in without entering any credentials.

Can you advise on what I am doing wrong and how do I get this use case to work?

Thanks
Chris


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Hi Chris
It doesn't sound like the IdP supports SAML SLO. If it did, it would send you a SAML logout response.
I suggest confirming this with the IdP.
Assuming that's the case, the best option is to logout the user locally and simply redirect to the IdP's logout page.

Regards
ComponentSpace Development
BloodBaz
BloodBaz
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 13
ComponentSpace - 9/17/2018
Hi Chris
It doesn't sound like the IdP supports SAML SLO. If it did, it would send you a SAML logout response.
I suggest confirming this with the IdP.
Assuming that's the case, the best option is to logout the user locally and simply redirect to the IdP's logout page.

The IdP in this case is Azure Active Directory which I'm pretty sure does support Single Log Out (SLO).
I don't even need it to sign out of all SPs that have authenticated with the idP but just our one. 
The problem is, following the signout the idP is redirecting back to our SAML logout page but the browser session id is different (new session created I assume) and so it can't complete the local logout process.  
Any ideas how I get the original sessionid to be passed back e.g. 
Cookie Name: ASP.NET_SessionId
Cookie Value: cprzssbc2lhsfmueif3om5sp0
It's a vulnurability as the user thinks they've logged out (and the SAML session has logged out but not the local session of our SP.
Thanks,
Chris
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Hi Chris,

I suspect the ASP.NET_SessionId isn't being returned as the SameSite property hasn't been set as None.

Make sure you have the following set in your web.config:


<sessionState cookieSameSite="None" />
<httpCookies requireSSL="true"/>



For more information, please refer to:

https://www.componentspace.com/forums/10816/Application-Cookie-SameSite-None

If there's still an issue, you can use the browser developer tools to determine why the cookie isn't being sent.

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies



Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Hi Chris,

I suspect the ASP.NET_SessionId isn't being returned as the SameSite property hasn't been set as None.

Make sure you have the following set in your web.config:


<sessionState cookieSameSite="None" />
<httpCookies requireSSL="true"/>



For more information, please refer to:

https://www.componentspace.com/forums/10816/Application-Cookie-SameSite-None

If there's still an issue, you can use the browser developer tools to determine why the cookie isn't being sent.

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search