+xTypically when the user logs out from the service provider you also want them to be logged out from the identity provider. However, this doesn't have to be the case. If your business case is that the user stays logged in at the identity provider that's fine. Just be aware that they're still logged in and consider if this presents any security risks. In a corporate environment with other security measures in place it may be perfectly valid.
I recommend calling ssoState.CanSloAsync() to determine whether SAML logout is supported. CanSloAsync will return false if no SingleLogoutServiceUrl is configured for the partner IdP.
var ssoState = await _samlServiceProvider.GetStatusAsync();
if (await ssoState.CanSloAsync())
{
// Can initiate SLO.
}
The majority of the SAML protocols are browser based. What this means is that messages sent between the SP and IdP sites are sent via the browser. When you call _samlServiceProvider.InitiateSloAsync(), a 302 redirect HTTP response is returned to the browser. The browser then redirects to the IdP with the SAML logout request encoded as a query string parameter. At this moment, control is now at the IdP site. The IdP logs the user out and sends a SAML logout response to your SP via the browser. This is received at your SAML logout service endpoint where you call _samlServiceProvider.ReceiveSloAsync to receive and process the logout response. Now that the SAML logout flow has completed, your application may redirect the user to the appropriate page. This is demonstrated by the ExampleServiceProvider project we ship. SAML doesn't support the concept of a fire and forget message.
Thank you for your kind words!
+xTypically when the user logs out from the service provider you also want them to be logged out from the identity provider. However, this doesn't have to be the case. If your business case is that the user stays logged in at the identity provider that's fine. Just be aware that they're still logged in and consider if this presents any security risks. In a corporate environment with other security measures in place it may be perfectly valid.
I recommend calling ssoState.CanSloAsync() to determine whether SAML logout is supported. CanSloAsync will return false if no SingleLogoutServiceUrl is configured for the partner IdP.
var ssoState = await _samlServiceProvider.GetStatusAsync();
if (await ssoState.CanSloAsync())
{
// Can initiate SLO.
}
The majority of the SAML protocols are browser based. What this means is that messages sent between the SP and IdP sites are sent via the browser. When you call _samlServiceProvider.InitiateSloAsync(), a 302 redirect HTTP response is returned to the browser. The browser then redirects to the IdP with the SAML logout request encoded as a query string parameter. At this moment, control is now at the IdP site. The IdP logs the user out and sends a SAML logout response to your SP via the browser. This is received at your SAML logout service endpoint where you call _samlServiceProvider.ReceiveSloAsync to receive and process the logout response. Now that the SAML logout flow has completed, your application may redirect the user to the appropriate page. This is demonstrated by the ExampleServiceProvider project we ship. SAML doesn't support the concept of a fire and forget message.
Thank you for your kind words!
Hi ComponentSpace,
I am also trying to initiate logout request at the IDP. I have the above code inside a try catch , everything seems fine at the SP but idp does not get the request. what could be the issue.
Here is my Workflow
1. login is initiated at idp
2. Sp process the respone - login works fine
3. user logouts out at SP and CanSloAsync is true and initiateSLOasync works without exception
Here comes the issue, the idp never gets the request. Idp is web form and slologouturl works when put in browser.
I am also debugging both idp and sp locally and my idp slo never gets stepped into. looking at saml trace there is no sent request
Here is my configuration
public override Task<PartnerIdentityProviderConfiguration> GetPartnerIdentityProviderConfigurationAsync(
string configurationId, string partnerName)
{
var logoutLink = getslolink();
var partnerIdentityProviderConfiguration = new PartnerIdentityProviderConfiguration
{
Name = partnerName.TrimEnd('/'),
Description = "Example Identity Provider",
PartnerCertificates = new List<Certificate>
{
new Certificate {FileName = "idp.cer"}
},
SingleLogoutServiceUrl = logoutlink,
SingleLogoutServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
WantAssertionOrResponseSigned = true,
DisableDestinationCheck = true,
DisableRecipientCheck = true,
DisableAudienceRestrictionCheck = true
};
return Task.FromResult(partnerIdentityProviderConfiguration);
}
There is no error - every other thing works. what am i missing