ComponentSpace

Forums



IDP-Initiated SLO for Client and server applications


IDP-Initiated SLO for Client and server applications

Author
Message
ajarg
ajarg
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Awaiting Activation
Posts: 4, Visits: 11
I we have client server applications in .Net Core.  Our server act as a IDP server (SAMLController) and our client application can initiate SSO for respective SP using RESTAPI from our server. SP site (google, office365) will be opened in client PC’s.  We would like to initiate IDP initiate SLO when user log-out from our client applications.  In this scenario how we can send InitiateSloAsync from our server. Please share samples for this workflow.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
When you say client app, I'm assuming you mean a JavaScript application running in the browser.
The best option is to send an HTTP Get from the browser to your IdP application.
At this endpoint, call InitiateSloAsync to send the SAML logout request.
At your SLO endpoint, call ReceiveSloAsync to receive the SAML logout response.
You can then redirect back to the client app.
Our examples demonstrate calling the SAML API for logout.
I'm afraid at this stage we don't have an example client app.

Regards
ComponentSpace Development
ajarg
ajarg
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Awaiting Activation
Posts: 4, Visits: 11
ComponentSpace - 10/23/2018
When you say client app, I'm assuming you mean a JavaScript application running in the browser.
The best option is to send an HTTP Get from the browser to your IdP application.
At this endpoint, call InitiateSloAsync to send the SAML logout request.
At your SLO endpoint, call ReceiveSloAsync to receive the SAML logout response.
You can then redirect back to the client app.
Our examples demonstrate calling the SAML API for logout.
I'm afraid at this stage we don't have an example client app.

Hi
Thanks for responds.
client app means, its run in other pc's and open SP sites using SP initiated SSO (not in IDP Server PC).  Now we need to initiate log-out from our IDP server when user log-out from our client app.
In this case do you have any API to send Logout request to any SP using user mail id. or please suggest any other approach for our requirement. 

<samlp:LogoutRequest xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” 
xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”
ID=”902380923840239832098423498349848"
Version=”2.0"
IssueInstant=”2016–05–14T00:45:20Z”
Destination=”http://Google.com/SAML2SLOService”>
<saml:Issuer>http://<ourserverurl>/<saml:Issuer>
<saml:NameID SPNameQualifier=”http://app1.levvel.io/"
Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>[email protected]</saml:NameID>
</samlp:LogoutRequest>





ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The InitiateSloAsync sends a SAML logout request.
The API handles setting the Destination, Issuer, NameID etc fields correctly.
The ExampleServiceProvider project demonstrates supporting SAML logout.
When the user clicks the logout button, it calls InitiateSloAsync.
The SamlController.SingleLogoutService calls ReceiveSloAsync and SendSLoAsync to complete the SLO sequence.

Regards
ComponentSpace Development
ajarg
ajarg
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Awaiting Activation
Posts: 4, Visits: 11
ComponentSpace - 10/24/2018
The InitiateSloAsync sends a SAML logout request.
The API handles setting the Destination, Issuer, NameID etc fields correctly.
The ExampleServiceProvider project demonstrates supporting SAML logout.
When the user clicks the logout button, it calls InitiateSloAsync.
The SamlController.SingleLogoutService calls ReceiveSloAsync and SendSLoAsync to complete the SLO sequence.

Hi
Our question, Is it possible to send InitiateSloAsync with  destination, Issuer, NameID etc from IDP log-out. in this case which API need to call to set  destination, Issuer, NameID etc

below code from SAML for .NET Core\Examples\SSO\ExampleIdentityProvider\Areas\Identity\Pages\Account\Logout.cshtml.cs
public async Task<IActionResult> OnPost(string returnUrl = null)
   {
    await _signInManager.SignOutAsync();
    _logger.LogInformation("User logged out.");

    var ssoState = await _samlIdentityProvider.GetStatusAsync();

    if (await ssoState.CanSloAsync())
    {
      // Request logout at the service provider(s).
      await _samlIdentityProvider.InitiateSloAsync(relayState: returnUrl);

      return new EmptyResult();
    }

    if (returnUrl != null)
    {
      return LocalRedirect(returnUrl);
    }
    else
    {
      return Page();
    }
   }

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
InitiateSloAsync doesn't support you setting these fields directly.
The API itself will set the correct values for these fields.
Why do you want to set these fields directly rather than letting the API handle them?

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search