How can SLO Response URL be set dynamically

Our application is using SP initiated SSO. We have 3 different instances which are all using the same Identity provider configuration for authentication. The ACS URL is set programmatically depending on which application is initiating the SSO. That part works fine, the authentication response is correctly sent to the domain based on the AssertionConsumerServiceUrl value.

The part where I am having a problem is for the SLO ( Single logout). When I create a logout request, the response is being sent to the URL in the Identity provider administration configuration setup. I would like to be able to specify the logout response URL by the service provider dynamically, just like the ACS. The response needs to be sent to the instance which initiated the logout request. Is that possible and how can I do that? Would appreciate some help.

I am using HTTPPostBinding.SendRequest to send the authentication request and SingleLogoutService.SendLogoutRequestByHTTPPost to send the logout request to the Identify provider.
Thanks.




The SAML authn request sent to the IdP as part of SSO can include the assertion consumer service URL. However, the SAML logout request doesn’t include the option to include the logout service URL. This isn’t a limitation in our product. It’s how the SAML specification is defined.

I’m not sure how you keep track of which of the three instances to use but perhaps your logout service could redirect the SAML logout response to the appropriate URL.

[quote]
ComponentSpace - 7/21/2021
The SAML authn request sent to the IdP as part of SSO can include the assertion consumer service URL. However, the SAML logout request doesn't include the option to include the logout service URL. This isn't a limitation in our product. It's how the SAML specification is defined.

I'm not sure how you keep track of which of the three instances to use but perhaps your logout service could redirect the SAML logout response to the appropriate URL.
[/quote]

If we do have a logout service, could we use the relay state parameter to know which URL to redirect once we get the the logout response from the IDP?
Also, am a little unclear how and which of these in SAMLConfiguration are applicable in a SP-Initiated SSO scenario. Am a newbie and still learning, so appreciate any help in how these are used.
PartnerServiceProviderConfigurations
PartnerIdentityProviderConfigurations
LocalIdentityProviderConfiguration
LocalServiceProviderConfiguration

Thanks.

Yes, that’s a good idea. The relay state can be used by the SP to remember information between sending the SAML logout request and receiving the SAML logout response. You could use this to remember which URL to redirect to after receiving the SAML logout response.

Please note that HTTPPostBinding.SendRequest and SingleLogoutService.SendLogoutRequestByHTTPPost are part of the SAML low-level API. This API doesn’t make use of SAML configuration. The SAML configuration is used by the SAML high-level API. We recommend using the high-level API wherever possible as it’s easier to use and requires less code.

The SAML high-level API for sending a SAML logout request is SAMLServiceProvider.InitiateSLO. The SAML logout response is received using SAMLServiceProvider.ReceiveSLO. To use these APIs you must also use the high-level API for the SSO. You can’t mix the low-level and high-level API as only the high-level SSO API remembers state information required to support SLO. The SAML high-level API, SAMLServiceProvider.InitiateSSO, has an overload that allows you to dynamically specify the assertion consumer service URL.

As an SP, only the LocalServiceProviderConfiguration and PartnerIdentityProviderConfigurations apply. The LocalIdentityProviderConfiguration and PartnerServiceProviderConfigurations apply if your application is an IdP. The configuration may be specified in a saml.config file or programmatically. There are a couple of options for setting configuration programmatically as outlined in the Configuration Guide.

https://www.componentspace.com/Forums/9350/Configuration-Guide




[quote]
ComponentSpace - 7/21/2021
Yes, that's a good idea. The relay state can be used by the SP to remember information between sending the SAML logout request and receiving the SAML logout response. You could use this to remember which URL to redirect to after receiving the SAML logout response.

Please note that HTTPPostBinding.SendRequest and SingleLogoutService.SendLogoutRequestByHTTPPost are part of the SAML low-level API. This API doesn't make use of SAML configuration. The SAML configuration is used by the SAML high-level API. We recommend using the high-level API wherever possible as it's easier to use and requires less code.

The SAML high-level API for sending a SAML logout request is SAMLServiceProvider.InitiateSLO. The SAML logout response is received using SAMLServiceProvider.ReceiveSLO. To use these APIs you must also use the high-level API for the SSO. You can't mix the low-level and high-level API as only the high-level SSO API remembers state information required to support SLO. The SAML high-level API, SAMLServiceProvider.InitiateSSO, has an overload that allows you to dynamically specify the assertion consumer service URL.

As an SP, only the LocalServiceProviderConfiguration and PartnerIdentityProviderConfigurations apply. The LocalIdentityProviderConfiguration and PartnerServiceProviderConfigurations apply if your application is an IdP. The configuration may be specified in a saml.config file or programmatically. There are a couple of options for setting configuration programmatically as outlined in the Configuration Guide.

https://www.componentspace.com/Forums/9350/Configuration-Guide




[/quote]

Thank you so much for this information. If I understood you correctly the SAMLConfiguration and its properties are only applicable for the high level api? Should I change to using the high level api, in that case I can use the SAMLConfiguration class to set the properties? In the PartnerIdentityProviderConfigurations there is a property SingleLogoutServiceResponseUrl, how is that used? Could that be used to set redirection of the logout response? Thanks.

Your understanding is correct. The SAML configuration is only used by the SAML high-level API.

You can set the SAMLConfiguration class programmatically. However, if your configuration is dynamic, we recommend implementing the ISAMLConfigurationResolver interface as described in the Configuration Guide and demonstrated by the ExampleServiceProvider project. This gives you more control of the configuration and you can change it on the fly.

The SingleLogoutServiceResponseUrl is the location where SAML logout responses are sent to the partner IdP. If not specified, SAML logout responses are sent to the SingleLogoutServiceUrl.