CanSloAsync returns false

lucas · October 5, 2020, 8:09am

Hi,

I’m using your examples for my IDP and the SP.
I’m trying to use the SLO but the method always returns false.

My C# code is like:

var ssoState = await _samlServiceProvider.GetStatusAsync();

if (await ssoState.CanSloAsync())
{
// Request logout at the service provider(s).
await _samlServiceProvider.InitiateSloAsync(relayState: url);
return new EmptyResult();
}
return new SLOResult() { UrlToRedirect = url};

As far as I read, it can happen when there is no configuration in the SP side, but my configuration is:

{
“Configurations”: [
{
“LocalServiceProviderConfiguration”: {
“AssertionConsumerServiceUrl”: “<a href=“http://localhost:47952/Saml2/Acs",">http://localhost:47952/Saml2/Acs”,
“Description”: “Service Provider”,
“Name”: “<a href=“https://myCompany.com”,”>https://myCompany.com”,
“SingleLogoutServiceUrl”: “<a href=“http://localhost:47952/Saml2/SingleLogoutService””>http://localhost:47952/Saml2/SingleLogoutService"
},
“PartnerIdentityProviderConfigurations”: [
{
“Description”: “myCompany IDP”,
“Name”: “<a href=“https://myCompanyidp.myCompany.io”,”>https://myCompanyidp.myCompany.io",
],
“SingleLogoutServiceUrl”: “<a href=“https://idp.myCompany.org/SAML/SingleLogoutService",">https://idp.myCompany.org/SAML/SingleLogoutService”,
“SingleSignOnServiceUrl”: “<a href=“https://idp.myCompany.org/SAML/SSOService””>https://idp.myCompany.org/SAML/SSOService”
}
]
}
]
}

Also, I’ve enabled the trace log, and the only message that I have when I call this endpoint is:

2020-10-05 15:46:15.812 +01:00 [DBG] The SSO session ID SESSION-ID has been saved to the saml-session cookie.
2020-10-05 15:46:15.814 +01:00 [DBG] SSO session state is being initialized.
2020-10-05 15:46:15.816 +01:00 [DBG] SSO session state for saml-session-SESSION-ID-SamlState is being saved to the distributed cache.

Is there another place that I can check?

Thank you very much

ComponentSpace · October 5, 2020, 2:56pm

We use a saml-session cookie to maintain SAML session state including whether SLO is permitted.

This saml-session cookie is marked as Secure which means you should use HTTPS endpoints throughout your application. I see in your configuration you have HTTP endpoints. Please switch to HTTPS and try again.

The examples we ship use HTTPS and CanSloAsync correctly returns true.

lucas · October 6, 2020, 9:00am

Thank you very much.
Changed to https solved the issue.

ComponentSpace · October 6, 2020, 2:30pm

Thanks for the update.