Hi,
I have successfully implemented SAML SSO (high-level API) with in several web applications with a common partner IP. SSO generally works fine, but I have a problem with subsequent logins which is easily reproducible:
1. Login to site via SAML (works fine)
2. Logout from site (works fine, SLO is sent, received and processed)
3. Try to login again, the redirections end up with a call to […]/SAML/SamlService.aspx?SamlAction=SingleLogOut&SAMLResponse=[…] which generates a ComponentSpace.SAML2.Exceptions.SAMLProtocolException (A logout response was unexpectedly received.).
It is entirely possible that the problem lies with the IP, but I’d like to confirm that before approaching these guys.
I can provide a SAML Trace file for the above use case.
Has anybody encountered this type of problem before?
Thank you for any advice and best regards,
Chris
Chris, please enable SAML trace and email us the log file. Please mention this topic for context. Thanks.
Hi again,
Please disregard the trace file I sent you, we identified and fixed the problem:
After completion of an SP-initiated SLO, I redirected the user to the login page using:
FormsAuthentication.RedirectToLoginPage(“SignOut=1”);
While this redirects correctly to my Login.aspx, it also appends the Querystring parameter ReturnURL which is set to the “SAMLService.aspx?SAMLAction=SingleLogOut[…]” URL. So, after a successful login, ASP.NET forms authentication redirects the user to the SLO-page which fails, as is normal.
I circumvented the problem by using :
Response.Redirect(FormsAuthentication.LoginUrl + “?SignOut=1”, false);
This doesn’t set the ReturnURL parameter, so that the user is redirected to the default page.
Best regards,
Chris
Thanks Chris for the update and description of the solution.