I have successfully authenticated ffrom IDP, after successfull authentication, I clicked on my logout button and iam trying to logout from IDP.
Iam calling to check the SLO status, It is returning false on first time click, on the second click it is returning true. and SLO is getting executed.
ComponentSpace.SAML2.SAMLServiceProvider.CanSLO(WebConfigurationManager.AppSettings[“partnerIdP”].ToString()) is returning false, when iam trying to logout.
If you’re using a version earlier than 3.0.0, make sure you’re not clearing or abandoning the ASP.NET session as part of logout.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
after putting the trace file, I am getting below log message.
10652/9: 04-12-2018 16:14:49: Checking if the partner identity provider http://localhost:51801 has successfully completed SSO and also supports SLO.
10652/9: 04-12-2018 16:14:49: Service provider session (1089cd33-3f8c-4cc8-a9d6-9d9c679c04bf) state:
10652/9: 04-12-2018 16:14:49: SLO to the partner identity provider http://localhost:51801 cannot occur.
The service provider session state is empty. That explains why CanSLO is returning false.
Either a new session was created (ie new browser session) or the existing session was cleared or abandoned.
If you email the entire log file I can confirm this but that looks like the case from what you’ve sent.
[quote]
[/quote]
I also have the same issue. can you help me with that?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
We use a SAML session cookie to support the SAML protocol and maintain SAML session state.
This state includes whether SAML SSO has completed and therefore SLO is possible.
By default this cookie is marked as secure.
The log includes:
“The SAML session cookie is marked as secure but the protocol is not HTTPS.”
As HTTPS isn’t being used, the browser is not returning the cookie and therefore we’ve lost track of the SAML session state.
The best option is to use HTTPS for all communications.
Alternatively, specify that the SAML session cookie shouldn’t be marked as secure.
using ComponentSpace.SAML2.Data;
protected void Application_Start(object sender, EventArgs e)
{
SessionIDDelegates.SecureSAMLCookie = false;
}
[quote][/quote]
We use a SAML session cookie to support the SAML protocol and maintain SAML session state.
This state includes whether SAML SSO has completed and therefore SLO is possible.
By default this cookie is marked as secure.
The log includes:
"The SAML session cookie is marked as secure but the protocol is not HTTPS."
As HTTPS isn't being used, the browser is not returning the cookie and therefore we’ve lost track of the SAML session state.
The best option is to use HTTPS for all communications.
Alternatively, specify that the SAML session cookie shouldn’t be marked as secure.
using ComponentSpace.SAML2.Data;
protected void Application_Start(object sender, EventArgs e)
{
SessionIDDelegates.SecureSAMLCookie = false;
}
This state includes whether SAML SSO has completed and therefore SLO is possible.
By default this cookie is marked as secure.
The log includes:
"The SAML session cookie is marked as secure but the protocol is not HTTPS."
As HTTPS isn't being used, the browser is not returning the cookie and therefore we’ve lost track of the SAML session state.
The best option is to use HTTPS for all communications.
Alternatively, specify that the SAML session cookie shouldn’t be marked as secure.
using ComponentSpace.SAML2.Data;
protected void Application_Start(object sender, EventArgs e)
{
SessionIDDelegates.SecureSAMLCookie = false;
}
Thanks now it's working.
You’re welcome.
Hi Support,
We got the same problem of CanSLO is returning false. seems like SAML session is missing when try to logout. we don’t abord asp.net session before logout. how can we get fix this?
i will send the SAML trace file to support@componentspace.com
Thanks,
Charaka
Thanks for the log file.
It shows a call to SAMLServiceProvider.InitiateSSO has been made and then SAMLServiceProvider.CanSLO is called.
As SSO hasn’t completed, SLO isn’t possible.
After SAMLServiceProvider.ReceiveSSO is called and SSO completes, SAMLServiceProvider.CanSLO should return true.
Hi . Is this property “SecureSAMLCookie” not available anymore on the SessionIDDelegates class?
SessionIDDelegates.SecureSAMLCookie = false;
I am on the V4 of CompSpace. library. Thanks
We refactored this code in V4.
There’s now a separate SAMLCookieOptions class under the ComponentSpace.SAML2.Data namespace.
Instead of SessionIDDelegates.SecureSAMLCookie there’s now SAMLCookieOptions.Secure. By default this property is set to true.
The recent SameSite changes in browsers mean that we now default to SameSite=None and Secure for the SAML_SessionId cookie.
If you set the Secure property to false you may run into issues with the browser not sending the cookie.
[quote][/quote]
We refactored this code in V4.
There's now a separate SAMLCookieOptions class under the ComponentSpace.SAML2.Data namespace.
Instead of SessionIDDelegates.SecureSAMLCookie there's now SAMLCookieOptions.Secure. By default this property is set to true.
The recent SameSite changes in browsers mean that we now default to SameSite=None and Secure for the SAML_SessionId cookie.
If you set the Secure property to false you may run into issues with the browser not sending the cookie.
There's now a separate SAMLCookieOptions class under the ComponentSpace.SAML2.Data namespace.
Instead of SessionIDDelegates.SecureSAMLCookie there's now SAMLCookieOptions.Secure. By default this property is set to true.
The recent SameSite changes in browsers mean that we now default to SameSite=None and Secure for the SAML_SessionId cookie.
If you set the Secure property to false you may run into issues with the browser not sending the cookie.
[quote][/quote]
We refactored this code in V4.
There's now a separate SAMLCookieOptions class under the ComponentSpace.SAML2.Data namespace.
Instead of SessionIDDelegates.SecureSAMLCookie there's now SAMLCookieOptions.Secure. By default this property is set to true.
The recent SameSite changes in browsers mean that we now default to SameSite=None and Secure for the SAML_SessionId cookie.
If you set the Secure property to false you may run into issues with the browser not sending the cookie.
There's now a separate SAMLCookieOptions class under the ComponentSpace.SAML2.Data namespace.
Instead of SessionIDDelegates.SecureSAMLCookie there's now SAMLCookieOptions.Secure. By default this property is set to true.
The recent SameSite changes in browsers mean that we now default to SameSite=None and Secure for the SAML_SessionId cookie.
If you set the Secure property to false you may run into issues with the browser not sending the cookie.
Our dev site is not on https and we are not able to see the saml_sessionid cookie on the browser due to which the logout calls to idp are failing. This works fine in our prod environment which is on https. Any advise for this?
Thanks
This is a restriction imposed by Chrome and other browsers. If SameSite is specified then the cookie must also be set as secure.
https://www.componentspace.com/Forums/10511/SAML-Cookie-SameSite-Mode-None
You can configure your dev site with a self-signed SSL certificate, for example, and use HTTPS.
Hello,
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: <saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>testuser</saml:NameID>
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don’t have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
[quote][/quote]
Hello,
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: testuser
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don't have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: testuser
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don't have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
I managed to make it work with IE or Edge.
I noticed that with one of these two browser i have the cookie SAML_SessionId (I saw it using debugging tools F12) while with Chrome, that I always used during previous tests, this cookie is not present.
Is this the cookie you create to keep the link with the asp session? If so, why i don't have it with Chrome?
Thank you
Fabio
[quote][/quote]
Hello,
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: testuser
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don't have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: testuser
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don't have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
The ExampleIdentityProvider isn't tied to the ExampleServiceProvider. It will work with any SP and can be used to test with your application.
[quote][/quote]
Hello,
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: testuser
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don't have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
same problem with CanSLO here.
Right now, I am using your ExampleIdentityProvider and ExampleServiceProvider examples to test login and logout and, of course, they work.
Since I need to implement SAML in our ServiceProvider, I wanted to use you example IdP and connect to it.
I call this method in my Login.aspx page
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
and in the AssertionConsumerService.aspx i use SnippetSAMLServiceProvider.ReceiveSSO
This is what i get in the logs:
[sub]19024/7: 15/09/2020 13:32:08: Identity provider session (40a1e9eb-5d4d-45e0-a6ae-27c059494993) state:
SSO session state:
Partner name: https://ExampleServiceProvider
Name ID: testuser
Session index: _ec1234af-999f-47cb-807a-1bbfb9991d1f
19024/7: 15/09/2020 13:32:08: An SSO response has been successfully sent to the partner service provider https://ExampleServiceProvider.[/sub]
When I try to log out, CanSLO return false and nothing is written/added to the log file: i get redirected to the login page, credentials are still valid so i don't have to insert them so i get into my application directly.
Where am i wrong? is it possibile to use your IdP example as a stand alone service to connect to with any SP implementing SAML (for testing purposes) or it is strongly tied to your SP Example?
Thank you
Fabio
I managed to make it work with IE or Edge.
I noticed that with one of these two browser i have the cookie SAML_SessionId (I saw it using debugging tools F12) while with Chrome, that I always used during previous tests, this cookie is not present.
Is this the cookie you create to keep the link with the asp session? If so, why i don't have it with Chrome?
Thank you
Fabio
[/quote]
What version of the SAML product are you using?
Earlier this year we updated the SAML_SessionId cookie so it's marked as Secure and SameSite=None in support of Chrome browser changes.
The SAML_SessionId is used to maintain SAML session state in support of the SAML protocol. If it's not sent by the browser we won't be able to support SLO.
Are you using HTTPS to access your application? This is required as the cookie's marked as secure.
If there's still an issue, please enable SAML trace at your SP and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I'd like to see your application start-up, the successful SSO and failing SLO.
Also, use the browser developer tools (F12) to capture the network traffic and send the saved HAR file.
Please use Chrome's Incognito mode so no old session cookies are used.