Hello,
Issue with SAML SLO Response Processing in .NET Core 8
I’m experiencing an issue with the SAML Single Logout (SLO) process in my .NET Core 8 application. When a user logs out, I receive a SAML response from our IdP, but the ReceiveSloAsync()
method fails with the error:
When I use initiateSloAsync I have an response from idp with success but in my SloService.aspx i have an error.
<samlp:LogoutResponse xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
Destination=“XXXXXX/SAML/SLOService.aspx”
ID=“s28a1b4e49f2e799d3123aaed2b3866584ce88706”
InResponseTo=“_3HhNouRub4PI12A5wD4qsLqpX6MPzPdx”
IssueInstant=“2025-03-25T16:40:51Z”
Version=“2.0”
>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>XXXXXX</saml:Issuer>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” />
</samlp:Status>
</samlp:LogoutResponse>
Here my code :
[HttpGet(“SLOService.aspx”)]
public async Task SingleLogout()
{
try
{
await AdLogBdd.LogIntoDataBaseAsync(0, “Réception d’une requête SLO”);
await _samlServiceProvider.SetConfigurationNameAsync(“XXXXXX”);
// Recevoir la requête ou réponse de logout
await AdLogBdd.LogIntoDataBaseAsync(0, "Before ReceiveSloAsync");
var sloResult = await _samlServiceProvider.ReceiveSloAsync();
await AdLogBdd.LogIntoDataBaseAsync(0, "After ReceiveSloAsync");
// Maintenant que le traitement SAML est terminé, on peut nettoyer les cookies
Response.Cookies.Delete("token");
Response.Cookies.Delete("refresh_token");
if (sloResult.IsResponse)
{
// SP-initiated SLO a été complété
if (!string.IsNullOrEmpty(sloResult.RelayState))
{
await AdLogBdd.LogIntoDataBaseAsync(0, $"Redirection vers: {sloResult.RelayState}");
return Redirect(sloResult.RelayState);
}
// Redirection par défaut
return Redirect("/");
}
else
{
// Répondre à la requête IdP-initiated SLO
await AdLogBdd.LogIntoDataBaseAsync(0, "Envoi de la réponse SLO");
await _samlServiceProvider.SendSloAsync();
}
return new EmptyResult();
}
catch (Exception ex)
{
await AdLogBdd.LogIntoDataBaseAsync(0, $"Erreur SLO: {ex.Message}");
// Même en cas d'erreur, on peut maintenant nettoyer les cookies
Response.Cookies.Delete("token");
Response.Cookies.Delete("refresh_token");
return BadRequest(new { error = ex.Message });
}
}