Hi Guys,
I’m struggling with getting a robust logout process in place for my SP application when a user logs in using SAML SSO.
Our Service Provider application has a “logout” button. Before we introduced SAML SSO as an optional login mechanism for some of our clients, when the user clicks Logout, we simply performed these steps:
context.Session.Abandon();
FormsAuthentication.SignOut();
RedirectToLoginPage();
For SAML SLO, the process is as follows:
- check that CanSLO() returns true,
- if it does then call InitiateSLO() which populates the response object
- allow the page to end and the user’s browser in order to redirect to the IdP and log out.
So here’s my problem:
I can’t run my ASP.NET sign out code first, followed by calls to
CanSLO()/InitiateSLO() as the session object will have been disposed and
CanSLO() then returns false and
InitiateSLO() does not work.
I can’t run the CanSLO()/InitiateSLO() code first, as this ends up redirecting to the IdP and the IdP displays a “Your are now logged out” page with no return to our application and therefore, no mechanism to sign out of ASP.NET Forms.
Either way, one of the two sessions still exist and the user can effectively log back in without entering any credentials.
Can you advise on what I am doing wrong and how do I get this use case to work?
Thanks
Chris
Hi Chris
It doesn’t sound like the IdP supports SAML SLO. If it did, it would send you a SAML logout response.
I suggest confirming this with the IdP.
Assuming that’s the case, the best option is to logout the user locally and simply redirect to the IdP’s logout page.
[quote]ComponentSpace - 9/17/2018
Hi Chris
It doesn't sound like the IdP supports SAML SLO. If it did, it would send you a SAML logout response.
I suggest confirming this with the IdP.
Assuming that's the case, the best option is to logout the user locally and simply redirect to the IdP's logout page.
[/quote] The IdP in this case is Azure Active Directory which I'm pretty sure does support Single Log Out (SLO).
I don't even need it to sign out of all SPs that have authenticated with the idP but just our one.
The problem is, following the signout the idP is redirecting back to our SAML logout page but the browser session id is different (new session created I assume) and so it can't complete the local logout process.
Any ideas how I get the original sessionid to be passed back e.g.
Cookie Name: ASP.NET_SessionId
Cookie Value: cprzssbc2lhsfmueif3om5sp0
It's a vulnurability as the user thinks they've logged out (and the SAML session
has logged out but not the local session of our SP.
Thanks,
Chris
Hi Chris,
I suspect the ASP.NET_SessionId isn’t being returned as the SameSite property hasn’t been set as None.
Make sure you have the following set in your web.config:
For more information, please refer to:
https://www.componentspace.com/forums/10816/Application-Cookie-SameSite-None
If there’s still an issue, you can use the browser developer tools to determine why the cookie isn’t being sent.
https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies
Hi Chris,
I suspect the ASP.NET_SessionId isn’t being returned as the SameSite property hasn’t been set as None.
Make sure you have the following set in your web.config:
For more information, please refer to:
https://www.componentspace.com/forums/10816/Application-Cookie-SameSite-None
If there’s still an issue, you can use the browser developer tools to determine why the cookie isn’t being sent.
https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies