Hello there
We are evaluating your product for sp initiated SSO with salesforce and are consistently getting an “ComponentSpace.SAML2.Exceptions.SAMLConfigurationException: A logout URL has not been configured for partner provider” exception on logout. The SLO endpoint is being hit, but the exception occurs when
SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP);
is called.
Please advise.
Regards,
Darren
This error occurs if you attempt to send a SAML logout request or response to the partner provider but a SAML logout URL hasn’t been configured for the partner. You need to specify a SingleLogoutServiceUrl for your PartnerServiceProvider in the SAML configuration.
However, Salesforce never used to support SAML logout. I checked the Salesforce documentation and this still appears to be the case. In Salesforce you can configure a logout URL but this is for simple redirects rather than SAML logout.
You’re welcome to enable SAML trace and send the log file as an email attachment to support@componentspace.com. Please mention this topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Hello,
since SLO is a kind of “bonus” functionality the logout URL is not always configured. We have an application that allows you to configure multiple SPs and IdPs and we’re facing the same problem as described in this thread if the logout URL is not configured.
Is there a better way to find out if there are any SPs or IdPs to logout from before calling SAMLIdentityProvider.InitiateSLO() or SAMLServiceProvider.InitiateSLO then catching SAMLProtocolException and then looking at the message?
Thanks
Examples:
try
{
SAMLIdentityProvider.InitiateSLO(System.Web.HttpContext.Current.Response, null);
}
catch (SAMLProtocolException exception)
{
if (exception.Message.Equals(“There are no partner service providers to logout.”))
{
}
throw;
}
------------------------------------------------------------------
try
{
SAMLServiceProvider.InitiateSLO(System.Web.HttpContext.Current.Response, null);
}
catch (SAMLProtocolException exception)
{
if (exception.Message.Equals(string.Format(“Logout from the partner service provider {0} is disabled.”, partnerSp)))
{
}
throw;
}
You can call SAMLIdentityProvider.IsSSO() or SAMLServiceProvider.IsSSO() to determine whether or not there’s an SSO session.
If these calls return false then there’s no SSO session to logout.
SAMLIdentityProvider.IsSSO() and SAMLServiceProvider.IsSSO() are true in the situations described above. They don’t take into account logout URL not being set. Do you have any other recommendation?
Please see our example code below (which will throw an exception…):
if (isRequest && SAMLIdentityProvider.IsSSO())
{
IntegrationHelper.LogMessage(logEventId, IntegrationHelper.LogMessageType.Debug, “Initiating SAML Single Logout (SLO) from Service Provider(s).”);
SAMLIdentityProvider.InitiateSLO(System.Web.HttpContext.Current.Response, null);
IntegrationHelper.LogMessage(logEventId, IntegrationHelper.LogMessageType.Debug, “Initiated SAML Single Logout (SLO).”);
return new EmptyResult();
}
The assumption is that if you’re calling SAMLIdentityProvider.InitiateSLO logout has been configured correctly.
How would you like to see this work?
Perhaps we could introduce another method which returns true if there’s an SSO session and logout URLs are configured.
Would that meet your requirements?
Yes, something like that. To be more explicit:
Introduce a method that would return true if there’s an SSO session and the session contains at least one SP that has logout URL configured. E.g. SAMLIdentityProvider.CanLogout()
Introduce a method that would return true if there’s an SSO session and the session contains IdP that has logout URL configured. E.g. SAMLServiceProvider.CanLogout()
Thanks
Thanks for the confirmation and suggestion.
Please email us mentioning this topic.
We would like to run any proposed changes past you to ensure they meet your requirements.