We have set up an MVC application with Component Space as an IDP provider in ADFS. The ADFS has multiple identity providers. So when an user tries to access an Relying Party Application he gets redirected to the ADFS homerealm page. He then selects the ComponentSpace IDP from the dropdown and gets redirected to my MVC application (Component space). I have a login page through which user will enter his credentials → It will get validated – > If its success i want the user to SSO into his relying party application back. In IDP initiated flow i set the TargetURL with RPID which works fine. In the above case from where can i get the target URL.
What flow should i be using in this case IDP initiated or SP initiated. And guidance would be helpful.
Thanks,
Prasad
Hi Prasad
The flow you described is SP-initiated SSO. The user starts at the SP (relying party) and SSOs to the IdP (claims provider).
A SAML response will be returned to the SP and the SP should then redirect to the appropriate page. A target URL is not included in this flow as the SP should already know what the target URL is. In IdP-initiated SSO, the IdP may specify a target URL. This makes sense as the SP doesn’t have any prior knowledge of the target URL.
Hi Admin,
I was able to get this to work, by using SP initiated flow for Login. Thanks for the help.
Now i am trying logout for the above scenario. The Logout button is on the SP( Relying Party) site.
I have added my Logout controller action in my MVC Component Space IDP, and also added a SAML logout endpoint for my IDP in ADFS.
When the user clicks on the Logout link, it redirects to my controller action in MVC (Componet Space IDP). Here i am doing two things:-
1. SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP);
The isrequest comes as true.
2. SAMLIdentityProvider.SendSLO(Response, null);
This gives me error saying ‘A logout URL has not been configured for partner provider’
Is my flow correct, if so then where do i need to add the logout URl (in my SAML.config along with AssertionalConsumerServiceURL).
Thanks in advance.
The flow is correct. What is missing is the URL to which to send the logout response back to the SP.
In your saml.config add the following to your :
SingleLogoutServiceUrl=“URL of the SP’s logout service”
For ADFS, the SingleSignOnServiceUrl and SingleLogoutServiceUrl have the same value.
Hi Admin,
Thanks for you answer. I was able to get it redirected after adding the Logout URL in my saml.config file.
Now it gives me error as ADFS expects the logout response to be signed. I can see that ADFS request is signed so i am guessing that the response send from sendSLO method must not have been signed.
I have added the following in my config file
SignSAMLResponse = “true”,
PartnerCertificateFile = “sp.cer”
in the PartnerServiceProvider section. Am i missing anything that is to be added.
Thanks in advance.
You need to add the following to your :
SignLogoutResponse = “true”
Note that if you were initiating logout then you would also set:
SignLogoutRequest = “true”
You should also set the following so the received logout message signatures are verified:
WantLogoutRequestSigned = “true”
WantLogoutResponseSigned = “true”