IdentityProvider SAML.config

Hello ComponentSpace,

In order to attain Mutl-Tenancy, I assume it is ok for me to put multiple PartnerServiceProvider in the IdentityProvider’s saml.config file? Like what I’ve done here:

<?xml version="1.0"?>

<IdentityProvider Name=“urn:componentspace:ExampleIdentityProvider”

<PartnerServiceProvider Name=“urn:componentspace:MvcExampleServiceProvider”
AssertionConsumerServiceUrl=“<a href=“http://localhost:51481/MvcExampleServiceProvider/SAML/AssertionConsumerService””>http://localhost:51481/MvcExampleServiceProvider/SAML/AssertionConsumerService"
SingleLogoutServiceUrl=“<a href=“http://localhost:51481/MvcExampleServiceProvider/SAML/SLOService””>http://localhost:51481/MvcExampleServiceProvider/SAML/SLOService"

<PartnerServiceProvider Name=“urn:componentspace:MvcExampleServiceProvider2”
AssertionConsumerServiceUrl=“<a href=“http://localhost:51482/MvcExampleServiceProvider2/SAML/AssertionConsumerService””>http://localhost:51482/MvcExampleServiceProvider2/SAML/AssertionConsumerService"
SingleLogoutServiceUrl=“<a href=“http://localhost:51482/MvcExampleServiceProvider2/SAML/SLOService””>http://localhost:51482/MvcExampleServiceProvider2/SAML/SLOService"

Adding multiple entries as you’ve done is perfectly valid. What this means is that your identity provider supports SAML SSO with multiple partner service providers.
We also support multi-tenancy. By this we mean that your application is acting as more than one identity provider or service provider. You might do this if, for example, you’re application is offering a service to multiple tenants in the cloud.
The following topic describes multi-tenancy.
However, if you simply wish to include multiple entries you don’t need to configure for multi-tenancy and what you currently have configured is all you need.

Thanks ComponentSpace. I am simply looking to develop an Identity Provider for multiple Service Providers, so it sounds like I am on the right path.

Question for you regarding “Logging Out”…

If I have signed in to multiple SPs using my IDP, if I “Log Out” of one of the SPs, should that also log me out of the other SPs I have signed into?

It should. The flow is as follows.

SP1 logs out.
SP1 sends logout request to IdP.
IdP logs out.
IdP sends logout request to SP2.
SP2 logs out.
SP2 sends logout response to IdP.
Above three steps repeat for any other SPs.
IdP sends logout response to SP1.

Our high-level API handles sending the various log requests and receiving the logout responses. As the identity provider you don’t have to handle this directly as it’s handled by our API.
One thing to note is that the SAML logout flow requires all service providers to participate correctly. If a service provider fails to send a logout response then the logout is incomplete. This is a limitation of the SAML specification.

Hello ComponentSpace,

Here’s what I’ve set up in my development environment…

I’ve got one IDP and two SPs.

Currently, my two SPs are just a copy of the MvcExampleServiceProvider, but I’ve ensured that both SPs are uniquely identifiable in the IDP saml.config file and are setup as different IIS websites.

I have no issues logging into both SPs and no issues logging out of either SP. But, it does not appear to me that logging out of one SP is logging me out of the other SP.

My questions are…

- If I successfully log out of SP1 and then go and refresh SP2, should SP2 show that I have been logged out?
- What can I do to ensure that logging out of one SP also logs me out of the second SP?

Just to minimize any confusion, ensure that the two SPs are using different authentication cookies. This is the forms name value in web.config. Just make sure the names are different.

If there’s still an issue, please enable SAML trace at the IdP and the two SPs and send the generated log files as email attachments to mentioning this post. I’d like to see the SSO and SLO.