Hello,

Issue with SAML SLO Response Processing in .NET Core 8

I’m experiencing an issue with the SAML Single Logout (SLO) process in my .NET Core 8 application. When a user logs out, I receive a SAML response from our IdP, but the ReceiveSloAsync() method fails with the error:

When I use initiateSloAsync I have an response from idp with success but in my SloService.aspx i have an error.

<samlp:LogoutResponse xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
Destination=“XXXXXX/SAML/SLOService.aspx”
ID=“s28a1b4e49f2e799d3123aaed2b3866584ce88706”
InResponseTo=“_3HhNouRub4PI12A5wD4qsLqpX6MPzPdx”
IssueInstant=“2025-03-25T16:40:51Z”
Version=“2.0”
>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>XXXXXX</saml:Issuer>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” />
</samlp:Status>
</samlp:LogoutResponse>

Here my code :

[HttpGet(“SLOService.aspx”)]
public async Task SingleLogout()
{
try
{
await AdLogBdd.LogIntoDataBaseAsync(0, “Réception d’une requête SLO”);
await _samlServiceProvider.SetConfigurationNameAsync(“XXXXXX”);

    // Recevoir la requête ou réponse de logout
    await AdLogBdd.LogIntoDataBaseAsync(0, "Before ReceiveSloAsync");
    var sloResult = await _samlServiceProvider.ReceiveSloAsync();
    await AdLogBdd.LogIntoDataBaseAsync(0, "After ReceiveSloAsync");

    // Maintenant que le traitement SAML est terminé, on peut nettoyer les cookies
    Response.Cookies.Delete("token");
    Response.Cookies.Delete("refresh_token");

    if (sloResult.IsResponse)
    {
      // SP-initiated SLO a été complété
      if (!string.IsNullOrEmpty(sloResult.RelayState))
      {
        await AdLogBdd.LogIntoDataBaseAsync(0, $"Redirection vers: {sloResult.RelayState}");
        return Redirect(sloResult.RelayState);
      }

      // Redirection par défaut
      return Redirect("/");
    }
    else
    {
      // Répondre à la requête IdP-initiated SLO
      await AdLogBdd.LogIntoDataBaseAsync(0, "Envoi de la réponse SLO");
      await _samlServiceProvider.SendSloAsync();
    }

    return new EmptyResult();
  }
  catch (Exception ex)
  {
    await AdLogBdd.LogIntoDataBaseAsync(0, $"Erreur SLO: {ex.Message}");

    // Même en cas d'erreur, on peut maintenant nettoyer les cookies
    Response.Cookies.Delete("token");
    Response.Cookies.Delete("refresh_token");

    return BadRequest(new { error = ex.Message });
  }
}

I don’t see any obvious issues with the code.

We use a saml-session cookie in support of the SAML protocol. It’s possible this cookie wasn’t sent with the logout request.

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

Enabling SAML for ASP.NET Core Trace

Please ensure the log includes both the successful SSO and failing SLO.