ComponentSpace

Forums



Understanding SLO


Understanding SLO

Author
Message
Arno
Arno
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 12
Morning,
I'm a complete newbie to SAML, so sorry for any strange or stupid questions...

I configured the SSO, which is working fine and most importend: I understand what I did ;)
But I do not understand how to set the right parameters for the SLO?
For the SSO- configuration I set the SingleSignOnServiceUrl (IdP)  as the URL to which the SAML-InitiateSSO call is sent. The AssertionConsumerServiceUrl (SP) is used to handle the response of the IdP.
For the SLO-configuration I set the SingleLogoutServiceUrl as the URL to which the InitiateSLO is sent, but how do I tell the system (or how does the IdP knows) to which page the response must be sent, so I can call ReceiveSLO?

Hope you can help me.

Arno


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Arno,

The IdP must be configured with your single logout service URL. This is the endpoint in your SP app that will receive SAML logout messages and where you call SAMLServiceProvider.ReceiveSLO. The ExampleServiceProvider's SAML/SLOService.aspx page demonstrates calling this API.

The AssertionConsumerServiceUrl is part of the SP configuration as this URL is sent in the SAML authn request sent to the IdP when you call SAMLServiceProvider.InitiateSSO. There isn't an equivalent SP SingleLogoutServiceUrl in the SP configuration as the SAML logout request doesn't support sending this URL.

Therefore, all you need to configure at the SP is the partner IdP's SingleLogoutServiceUrl. The IdP will configure your SP single logout service URL.

Regards
ComponentSpace Development
Arno
Arno
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 12
ComponentSpace - 11/23/2021
Hi Arno,

The IdP must be configured with your single logout service URL. This is the endpoint in your SP app that will receive SAML logout messages and where you call SAMLServiceProvider.ReceiveSLO. The ExampleServiceProvider's SAML/SLOService.aspx page demonstrates calling this API.

The AssertionConsumerServiceUrl is part of the SP configuration as this URL is sent in the SAML authn request sent to the IdP when you call SAMLServiceProvider.InitiateSSO. There isn't an equivalent SP SingleLogoutServiceUrl in the SP configuration as the SAML logout request doesn't support sending this URL.

Therefore, all you need to configure at the SP is the partner IdP's SingleLogoutServiceUrl. The IdP will configure your SP single logout service URL.

Thanks for the fast reply. 
So, the SingleLogoutServiceUrl is the URL of the receiving page of my website to handle SLO-response. I had misunderstood this.
Thanks. this helps me a lot.

Arno
 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The <PartnerIdentityProvider> SingleLogoutServiceUrl is where SAML logout messages are sent to the partner IdP.

The single logout service endpoint in your SP app is where SAML logout messages are received from the partner IdP. This URL would be configured at the IdP but there's no configuration in your SP for this endpoint. In other words, there isn't a <ServiceProvider> SingleLogoutServiceUrl.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search