Hi Team,
I have implemented google and office365 sso.
But the IDP initiated logout is not working sometimes. In chrome browser almost constantly it fails and it firefox there is a good rate of success.
Am I doing something wrong?
Below is the code snippet for logout in my application. Please advise me how to solve this.
public ActionResult LogOut()
{
try
{
SignoutManager.SignoutSolusIdentityProvider();
if (SAMLIdentityProvider.IsSSO())
{
// Request logout at the service providers.
SAMLIdentityProvider.InitiateSLO(Response, null);
return new EmptyResult();
}
return RedirectToAction(“Index”, “Home”);
}
catch (Exception exception)
{
return RedirectToAction(“Index”, “Error”);
}
}
Hi Kiran
The code looks fine. It’s surprising you’re seeing a browser specific issue, especially with Chrome.
Could you describe what happens?
In the browser address bar, do you end up at the IdP site still or the SP site?
Please note that Google doesn’t support SAML logout. In the Google admin console, you configure a URL for simple HTTP redirects rather than SAML logout.
Also, we have seen issues with Office 365’s support for SAML logout. SP-initiated SLO works but IdP-initiated SLO appears to have issues.
The code looks fine. It's surprising you're seeing a browser specific issue, especially with Chrome.
Could you describe what happens?
In the browser address bar, do you end up at the IdP site still or the SP site?
Please note that Google doesn't support SAML logout. In the Google admin console, you configure a URL for simple HTTP redirects rather than SAML logout.
Also, we have seen issues with Office 365's support for SAML logout. SP-initiated SLO works but IdP-initiated SLO appears to have issues.
Hi Team,
It was fine if the issue was consistent. But the problem is sometimes this works and sometimes its not. Even in chrome it works at times
Here is the flow
1.Login to IDP site
2. Sign in to google from a button in IDP site
3. Log out from IDP site
4. Log out happens and the browser shows the IDP site login page.
5. But when I refresh the gmail in the other tab I could see that its still logged in
The above scenario works most of the time in Firefox, but in chrome most of the time it fails.
Also I would like to know what are the issues in google and office 365 IDP initiated SLO. Please list all the issues, as I have to clearly state this to my client.
Thanks
Just to be clear, as Google doesn’t support SAML logout, I would not expect you to be logged out of Google in the other browser tab.
This shouldn’t be browser specific.
It’s simply that Google doesn’t support SAML logout.
Hi Team,
Ok I understand. But then how come it works sometimes using the same code above.
I have taken it from your samples code snippets only.
I can give another scenario too. If I SSO to google and office then when I do IDP initiated SLO. It works perfectly.
So there is definitely something wrong in what I am doing or some issues with the component space component.
Thanks
Could you please enable SAML trace and send the generated log file to support@componentspace.com mentioning this topic?
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I’d like to see successful SSO to Google followed by successful SLO from Google.
As I said, I don’t believe Google supports SLO but the trace will show what’s going on.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I'd like to see successful SSO to Google followed by successful SLO from Google.
As I said, I don't believe Google supports SLO but the trace will show what's going on.
Hi Team,
I have send you the trace logs for below 3 scenarios through email
1. Successful IDP initiated single sign out trace log when google is signed in through sso
2. Successful IDP initiated single sign out trace log when office 365 is signed in through sso
3. Successful IDP initiated single sign out trace log when google and office 365 is signed in through sso
All the 3 scenarios works sometimes and sometimes it fails. I would like to know why the same code cause 2 different behavior. It has to be consistent. Either it has to sign-out or not.
Hi Kiran
Thank you for the logs.
Google
The Google signout log shows successful IdP-initiated SSO to Google.
It then shows you call SAMLIdentityProvider.InitiateSLO to initiate logout to Google.
A SAML logout request is successfully sent to Google but no logout response is returned from Google.
As I’ve mentioned before, Google does not support SAML logout.
It will not process the SAML logout request. Nor will it send a logout response.
Therefore, from your IdP’s perspective, SAML logout actually failed.
You should not attempt SAML logout with Google as it’s not supported by Google.
Instead, you should simply logout the user locally at the IdP application.
Office 365
The Office 365 signout log shows successful IdP-initiated SSO to Google.
It then shows you call SAMLIdentityProvider.InitiateSLO to initiate logout to Office 365.
A SAML logout request is successfully sent to Office 365 but, instead of returning a logout response, Office 365 erroneously sends a logout request.
We then send a logout response in reply to Office 365’s logout request.
However, Office 365 has not followed the SAML logout protocol correctly.
It should have sent a SAML logout response in response to the logout request it received. Instead, it sent a logout request.
As I’ve mentioned before, we’ve seen issues with Office 365 support of SAML logout.
It may have resulted in successful logout but Office 365 returning a logout request after receiving a logout request is clearly wrong.
We have seen instances where Office 365 sends neither a logout request nor response.
Our feeling is currently Office 365 support for SAML logout is unreliable. Hopefully this will change with updates to Office 365.
Google + Office 365
The Google + Office 365 signout log shows successful IdP-initiated SSO to Google and Office 365.
It then shows you call SAMLIdentityProvider.InitiateSLO to initiate logout to both service providers.
SAML logout requires all participants to adhere to the logout protocol and respond to logout requests.
A logout request is sent to Google but no response is received as Google doesn’t support SAML logout.
A logout request won’t be sent to Office 365 until Google sends a logout response which, of course, won’t happen.
Therefore, this particular attempt to SAML logout can never succeed with Google involved.
You then call SAMLIdentityProvider.InitiateSLO a second time.
As a logout request has been sent to Google already, we now send a logout request to Office 365.
Office 365 incorrectly replies with a logout request as before and we send a logout response to Office 365.
This may have resulted in logout at Office 365.
Summary
1. SAML logout to Google should not be attempted as Google does not support SAML logout.
2. SAML logout to Office 365 is unreliable as Office 365 doesn’t correctly handle IdP-initiated logout.