We are using the method ReceiveSLO with success for an IdP-initiated SLO response. However, our users could be logged in to one or more subdomain sites of the domain in our ACS, thus they have ASP.NET session cookies for these subdomains which also need to be expired. The IdP is sending the NameID in the samlp:LogoutRequest which we could use to help log them out of the subdomain sites, but it appears we have no access to that property. ReceiveSLO returns void, and there is no out param of the assertion parameters…how do we access the NameID property being sent from the IdP?
We don’t make the NameID available, as you’ve discovered, as it’s normally not required.
Is each subdomain a different IdP?
Has the user SSO’d to a number of IdPs and you want to identify the IdP sending the logout request?
ReceiveSLO includes an output parameter that returns the name of the partner IdP.
Could that be used to meet your requirements?
Thank you for the reply. Unfortunately no, we need the actual NameID to verify if the user is currently authenticated on a subdomain site. We only planned to SSO a user at the root domain because we have hundreds of subdomain sites for which a single user could have been granted access…and those sites can only be reached after authenticating at the root domain. After some additional investigation, it appears we may be able to create cookies in the subdomain sites that can be accessed from the root (parent) domain, allowing us to expire a subdomain cookie manually from the root domain where the SLO response is received.
Does the cookies solution mean you no longer need the NameID?
We opted to drop an encrypted cookie at the root site that we could read to support SLO at any subdomain site for which the user is authenticated. The cookie method I mentioned in my prior post does work as expected, but it does pose a security risk for our specific site design, so it was ruled out as an option. For our specific case, ideally we would be able to read the NameID from the IdP response parameters collection, but I don’t know enough about the SAML spec to know if that would be reliable from IdP to IdP.
I think the encrypted cookie is a better option and means you’re not reliant on the IdPs.