Hi Team,
I am getting the below error while i sign-out from google or from identity provider.
Below is my saml configuration
<PartnerServiceProvider Name=“google.com/a/mydomain.com”
WantAuthnRequestSigned=“false”
SignSAMLResponse=“true”
SignAssertion=“false”
EncryptAssertion=“false”
NameIDFormat=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
AssertionConsumerServiceUrl=“<a href=“https://www.google.com/a/mydomain.com/acs””>https://www.google.com/a/mydomain.com/acs"
SingleLogoutServiceUrl=“<a href=“https://mail.google.com/a/mydomain.com/?logout””>https://mail.google.com/a/mydomain.com/?logout"
PartnerCertificateFile=“mycert.cer”/>
Google doesn’t support SAML logout.
The sign-out URL you configure in Google is where it will redirect to. This is a simple HTTP Get rather than a SAML logout request.
So what is the solution for this?
I need to log out from google and identity provider when I try to log out from google.
Below is my settings ate google admin console
When a user logs out from Google, Google will redirect to the sign-out URL you’ve configured.
You can then logout the user from the identity provider as well.
This doesn’t involve SAML but instead is simply a redirect to your application.
My google settings are
public virtual ActionResult SLOService()
{
// Receive the single logout request or response.
// If a request is received then single logout is being initiated by the service provider.
// If a response is received then this is in response to single logout having been initiated by the identity provider.
bool isRequest = false;
bool hasCompleted = false;
string logoutReason = null;
string partnerSP = null;
SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP);
if (isRequest)
{
// Logout locally.
//FormsAuthentication.SignOut();
SignoutManager.SignoutIdentityProvider();
// Respond to the SP-initiated SLO request indicating successful logout.
SAMLIdentityProvider.SendSLO(Response, null);
}
else
{
if (hasCompleted)
{
// IdP-initiated SLO has completed.
Response.Redirect("~/");
}
}
return new EmptyResult();
}
The above is my code. Could you please let me know what change I have to do?
Remove the calls to SAMLIdentityProvider.ReceiveSLO and SAMLIdentityProvider.SendSLO as this isn’t a SAML logout message exchange.
Google will redirect to your page (ie an HTTP Get) rather than sending a SAML logout request.
Your code will be something like the following:
SignoutManager.SignoutIdentityProvider();
return RedirectToAction(“Index”, “Home”);
It’s really whatever makes sense for your application.
You probably want to logout the user locally and then redirect somewhere within your application.
Google will redirect to your page (ie an HTTP Get) rather than sending a SAML logout request.
Your code will be something like the following:
SignoutManager.SignoutIdentityProvider();
return RedirectToAction("Index", "Home");
It's really whatever makes sense for your application.
You probably want to logout the user locally and then redirect somewhere within your application.
Hi Team,
Thanks for the relpay
Have modified the code like below
public override ActionResult SLOService()
{
SignoutManager.SignoutSolusIdentityProvider();
if (SAMLIdentityProvider.IsSSO())
{
// Request logout at the service providers.
SAMLIdentityProvider.InitiateSLO(Response, null);
return new EmptyResult();
}
return RedirectToAction("Index", "Home");
}
But I have a new problem now.
I have another SSO configured for Office 365 which has another endpoint for SSOService (saml/office356/SSOService) and SLOServive (saml/office365/SLOService)
For google I have another endpoint SSOService (saml/google/SSOService) and SLOServive (saml/google/SLOService)
When I log out from google (SP initiated log out) I am not getting logged out from Office 365.
But when I log out from Office 365 I logged out from goggle.
What could be the issue? Let me know if you want my code snippets or saml configs
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning this forum post.
I’d like to see both scenarios for comparison.
If you could send separate log files identifying which is which that would be very helpful.