Hi guys,
I’m trying to construct an IdP-Proxy based on your solution.
Till now i was able to handle single sign on in the following manner:
1. Add a SingleSignOnService method that’s receiving the AUTHN requrest from the SP and initiates a SSO to a partner IdP (SP-initiated SSO).
2. Add an AssertionConsumerService that’s receiving a SSO result and cheks IsInResponseTo flag. Based on this flag i identified if i’m in SP-initiated SSO or in IdP-initiated SSO flow and finalized the flow accordingly.
I’m trying to handle single log out in the same manner using the following example flow: https://docs.oracle.com/cd/E19681-01/820-3746/images/IDP-proxyProcess3.gif
In theory, for a SP-initiated log out, i need to achieve the following:
1. Receive a single logout request
2. Check if it’s not a response
3. Identify IdP
4. Send a Slo request to IdP identified at step 3
5. Respond to the SP-initiated SLO indicating successful logout.
I’m trying to achieve this in the following manner:
public async Task SingleLogoutService()
{
// Receive the single logout request or response.
// If a request is received then single logout is being initiated by a partner service provider.
// If a response is received then this is in response to single logout having been initiated by the identity provider.
var sloResult = await _samlIdentityProvider.ReceiveSloAsync();
if (sloResult.IsResponse)
{
}
else
{
// Figure out IdP Partner Name
var idpPartnerName = _configuration[“IdPPartnerName”];
// Send logout request to idp partner
await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);
// Respond to the SP-initiated SLO request indicating successful logout.
await _samlIdentityProvider.SendSloAsync();
}
return new EmptyResult();
}
I’m able to destroy the session at SP end, but i’m not able to remove the IdP session (i’m thinking that
await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);
needs to trigger IdP session removal, being the 3rd step in https://docs.oracle.com/cd/E19681-01/820-3746/images/IDP-proxyProcess3.gif this proxy process).
Is something that i’m missing?
You’re missing one step. You need to wait for the logout response from the IdP before sending a logout response to the SP.
1. Receive logout request from SP.
2. Identity IdP.
3. Send logout request to IdP.
4. Receive logout response from IdP.
5. Send logout response to SP.
Your code above should call _samlServiceProvider.InitiateSloAsync but not immediately call _samlIdentityProvider.SendSloAsync.
It might make sense to have different single logout service end points when acting as the identity provider versus service provider.
The following is the code when acting as the identity provider.
public async Task SingleLogoutService()
{
// Receive the single logout request or response.
// If a request is received then single logout is being initiated by a partner service provider.
// If a response is received then this is in response to single logout having been initiated by the identity provider.
var sloResult = await _samlIdentityProvider.ReceiveSloAsync();
if (sloResult.IsResponse)
{
}
else
{
// Figure out IdP Partner Name
var idpPartnerName = _configuration[“IdPPartnerName”];
// Send logout request to idp partner
await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);
}
return new EmptyResult();
}
The following is the code when acting as the service provider.
public async Task SingleLogoutService()
{
// Receive the single logout request or response.
// If a request is received then single logout is being initiated by the identity provider.
// If a response is received then this is in response to single logout having been initiated by the service provider.
var sloResult = await _samlServiceProvider.ReceiveSloAsync();
if (sloResult.IsResponse)
{
// Respond to the SP-initiated SLO request indicating successful logout.
await _samlIdentityProvider.SendSloAsync();
}
else
{
}
return new EmptyResult();
}
Thanks a lot for your confirmation.
I identified that IdP will be completely responsible for removing his own session because otherwise it won’t be able to do a complete clearance of current work-session (assuming that IdP needs to mark current work session as inactive in database or other similar things). Of course i’ll need to wait for this “complete-clearance” response.
As you specified, I ended up having different endpoints for handling logout when IdP-Proxy acts as the identity provider and when it acts as service provider.
You’re welcome.
Just to confirm what you said, the IdP is responsible for logging the user out at the IdP. Typically it will delete the authentication cookie.
Once this is done, it will send a SAML logout response back to the SP.