By kiransr25 - 4/28/2021
We are using component space SSO for the asp.net web application, The SSO will be initiated from the client with client login URL
and after login, if the user logout from the application we are supposed to show the client login page again but because of SSO cached data the login page won't ask for authentication, and without any credentials, it will automatically logins to the application.
Please refer to the below code,
Step 1 : user login using the client login page
step 2: we receive the request
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
after SSO , user logins successfully
step 3: user clicks logout
we are trying clear session and cookies.
then redirect to the client login page
step 4: client login page won't ask for any credentials and it will log in.
So after clicking logout apart from clearing regular sessions, do we need to perform any SSO-related tasks so we can clear all SSO-related data.
Can anyone please help me with this?
By ComponentSpace - 4/28/2021
In your step 3 you're logging the user out from your SP application but the user remains logged in at the IdP application. The authentication cookie for the IdP still exists. When you initiate SSO again, the IdP won't prompt the user to login as they're already logged in.
SAML logout (SLO) is a protocol that logs the user out from the SPs and IdP. At the end of your step 3 you can call SAMLServiceProvider.InitiateSLO to create and send a SAML Logout request to the IdP. The IdP will log the user out at their end and send you a SAML logout response. You call SAMLServiceProvider.ReceiveSLO to receive and process the logout response.
The ExampleServiceProvider project demonstrates making these calls. The <PartnerIdentityProvider> entry in your saml.config needs to include a SingleLogoutServiceUrl. This is the URL where SAML logout messages are sent to the IdP.
Unfortunately, not all IdPs support SAML logout. You'll need to confirm with the IdP whether they do. If they don't, the only option is to prompt the user to close the browser to clear all cookies. In a shared environment with multiple users using the same machine, closing the browser is a good idea even if SAML logout is employed.