CanSLO from ApiController using SignOut API

Hello Team,

I would like to implement SLO using SignOut API written in one of the controller inherited from ApiController. This SignOut API is getting called from client written in typescript. I am unable to get the Response object in my controller inherited from ApiController to pass into InitiateSLO method

E.g. SAMLIdentityProvider.InitiateSLO(Response, null, null);

Am i doing anything wrong, please suggest how can I use the (SLO) or Response object under web api controller?

SAMLIdentityProvider.InitiateSLO will result in a 302 HTTP response being returned to the browser. The redirect URL is the logout service of the service provider with the SAML logout request encoded as a query string parameter.

Calling this method within a web API is problematic. The client presumably is expecting a 200 HTTP response and won’t be able to handle the 302 correctly.

Our recommendation is to not invoke SAML SSO or SLO from a web API. Instead, the client should have the browser initiate an HTTP Get to particular endpoints to initiate SSO or SLO.

Hello Team,

Thanks for the response, If I say same way (in API within an APIController), if I would like initiate SLO from ServiceProvider will that be recommended ?

E.g. SAMLServiceProvider.InitiateSLO(Response, null, null);

Calling SAMLIdentityProvider.InitiateSLO or SAMLServiceProvider.InitiateSLO within a web API is problematic for the reasons mentioned above. Both result in a 302 HTTP response.