I was able to test SSO but I am having challenges in testing SLO. When SP receives SingleLogoutService, the samlState is empty. What couldbe the reason? My redirect to IdPs logout is not working and the Angular browser is doing nothing.
Thanks
My flow as per IdP initiated SSO/SLO
1) Idp initiates Sigin with valid SAML attributes
2) SP receives the SAML response and Validates against our credential system and redirect user to Authorized page (which Angular page, this can be logged outside SSO)
3) User is trying to logout from the browser, now the SP should receive SingleLogoutService SAML response (from Angular page) and process request , redirect user to IdP index page. (redirect to Index page will be handled by Idp side)
I have put all the pieces together but step 3 is not working as expected. Is this flow correct as per your component? Please confirm
The SAML IdP-initiated single logout flow is:
1. IdP sends a SAML logout request to SP.
2. SP logs out the user.
3. SP sends a SAML logout response to the IdP.
It’s hard to say what the issue is without more information.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
In our case SSO was initiated from IdP, after successful login the control is given to Angular site (which is owned by us, SP) and the available logout option is from SP side. Let me know if this is correct flow or not? Once Logout is clicked SP will initiate SLO and IdP will logout.
Thanks
The SAML SP-initiated single logout flow is:
1. SP sends a SAML logout request to IdP.
2. IdP logs out the user.
3. IdP sends a SAML logout response to the SP.
The SLO flow is not affected in any way by whether the user initiated SSO from the IdP or SP.
When the user clicks the logout button in your Angular application, you should pass control to your SP back-end so it can call ISamlServiceProvider.InitiateSloAsync. This sends a SAML logout request to the IdP.
The SP back-end’s single logout service will receive and process the logout response by calling ISamlServiceProvider.ReceiveSloAsync.
At this point SLO has completed and you can then return control to your Angular application.
Thank you for the quick response. I am doing exactly the same per your flow till InitiateSloAsync but I am getting an exception saying multiple configurations were defined.
Multiple partner identity providers are configured so the partner identity provider name must be specified.
I think the component is not able to identity which partner IdP the SLO request should be sent to. I am observing the smalstate or SSO session State is null when trying to issue InitiateSloAsync from SP side.
Also after Logout is done from SP side we want to redirect user to IdP Logout url, how can we do this? Is it possible?
Thanks
The SSO session state shouldn’t be null.
I would need you to send a log file to support@componentspace.com to investigate.
Once SP-initiated SLO completes, control is back at the SP. The user will be logged out from both the IdP and SP.
You can redirect the user back to the IdP if you wish although, as the user has been logged out from the IdP, I’m not sure why you want to redirect back to the IdP’s logout URL.
I will check if I can share the trace with you. Also why am I receiving this error:
Multiple partner identity providers are configured so the partner identity provider name must be specified.
This didn’t happen in case of SSO, its only thrown during SLO.
Thanks
If the IdP initiated SSO, you don’t need to specify the partner name.
If you as the SP are initiating SLO, you need to specify the partner name.
I am getting errors when I use POST and getting different error while using GET. I have sent you the log with subject “Log information - Post Id 9277(IdP-initiated-SSO-not-working)”. Please let me know what is causing issue.
Thank you for your help.
Thank you for the log files.
I’ve replied to your email requesting network traffic to be captured to HAR files and sent.
Now I have shared the HAR files.
Thanks
Thank you.
I’ve replied by email.
In summary, you shouldn’t initiate SAML SSO or SLO as part of a web API call.
In the instance where you perform an HTTP GET, a pre-flight OPTIONS request to the IdP’s single logout service results in an error as it’s expecting either a GET or POST.
In the instance where you perform an HTTP POST, the SAML session cookie is missing from the request.
Rather than initiating SAML SSO and SLO through web API calls, your Angular app should perform simple redirects to the backend.
I’ve emailed you some example code demonstrating this.
Do you have any integration guide with Cloud Access Manager “OneIdentity” for Idp Initiated SSO? We didn’t have any plans to support Sp Initiated SSO for sometime. So there is no login page available for users who want to do Sp-Initiated SSO.
I’m afraid we don’t but there shouldn’t be any issues with interoperability.
A good starting point would be to retrieve their SAML metadata and use this to update your SAML configuration.
You should also generate SAML metadata for your provider to supply to them.
This is described in the SAML Metadata Guide.
https://www.componentspace.com/Forums/8324/SAML-Metadata-Guide
If you need assistance or run into any issues, you’re welcome to contact us through these forums or by email.
We already configured the saml details at Idp (uses cloud manager one identity) and at sp ( .net core web api). From idp side they are login to idp cloud manager and try to invoke sp assertion url in new tab of browser and we are getting error like http 1.1 get url
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
It seems they are looking for sp initiated sso. so what we did is:
1) Created a new GET method in our web api serving as SP to receive the login request and check their mail id exists in our system or not
2) Intitiate sso through await _samlServiceProvider.InitiateSsoAsync(partnerName, null)
3) Its hitting Idp await _samlIdentityProvider.ReceiveSsoAsync(); but getting an error and its not reaching AssertionConsumerService (await _samlServiceProvider.ReceiveSsoAsync())
A SAML message cannot be received as the HTTP request is unrecognized. All the configs are in place but we are sitll receiving the error on Idp side.
Thanks
Also wanted to know if we can support both SP-Initiated SSO and Idp-Initiated SSO at same time?
Thanks
Yes, you can support SP-initiated SSO and IdP-initiated SSO at the same time. The example projects support both.
Regarding the error at the IdP, it sounds like the SAML authn request isn’t being sent correctly.
Please enable SAML trace and send the generated IdP log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
I've replied by email.
In summary, you shouldn't initiate SAML SSO or SLO as part of a web API call.
In the instance where you perform an HTTP GET, a pre-flight OPTIONS request to the IdP's single logout service results in an error as it's expecting either a GET or POST.
In the instance where you perform an HTTP POST, the SAML session cookie is missing from the request.
Rather than initiating SAML SSO and SLO through web API calls, your Angular app should perform simple redirects to the backend.
I've emailed you some example code demonstrating this.
Hi,
Can you also email me an example demonstrating the above. I will send an email to componentspace please reply .
Thanks