Passing RelayState in an SP initiated SLO

alienor · May 27, 2014, 7:41am

Hi there,

I am trying to pass a RelayState in an SP initiated SLO, but cannot find a way to do this using the API.

I am using ComponentSpace.SAML2.SAMLServiceProvider.InitiateSLO(HttpResponse httpResponse, string logoutReason, string partnerIdP);

Using Assembly ComponentSpace.SAML2.dll, v2.5.0.5

Any help, much appreciated

Thanks
Alienor

ComponentSpace · May 27, 2014, 2:22pm

Hi Alienor
Currently we don’t support sending relay state with SLO messages. We certainly could add this support if required.
May I ask why you wish to use relay state with SLO? There might be a better mechanism for supporting what you are trying to do.

alienor · September 1, 2014, 6:51am

Hi there,
The website I am working on is the IdP.
One of our SPs is using SimpleSAMLphp which appears to require a RelayState for SLO requests.
Not sure how easy this is to get around.
Kind regards
Alienor

ComponentSpace · September 1, 2014, 11:29am

If the SP includes relay state with the logout request then the SAML API automatically includes this with the logout response sent back to the SP. This is not exposed to your application.
If your IdP sends a logout request to the SP then there should be no need to include relay state as this is optional and typically not required.
Let me know if you run into any issues.

alienor · September 2, 2014, 2:35am

Hi there,

Thank you for your response.

The initial problem I was having was resolved, this was for SP initiated SLO, we had the wrong single logout service Url configured.

Now I am having a similar problem with IdP initiated SLO when connecting up to the SP. They are using SimpleSAMLphp which appears to throw an error if the relay state is not present. Very frustrating.
I get “Missing RelayState in logout response” on their system. We are using the HTTP-Redirect binding for logout. Initiating logout with SAMLIdentityProvider.InitiateSLO.
I have had a little look around to see what I can find:
https://code.google.com/p/simplesamlphp/
Where you can see the issue on line 48: https://code.google.com/p/simplesamlphp/source/browse/trunk/modules/saml/www/sp/saml2-logout.php?r=3303&spec=svn3303

Do you have any case studies/examples where the IdP is using the Component Space library and an SP is using the SimpleSAMLphp library?

Kind regards
Alienor

ComponentSpace · September 2, 2014, 11:05am

When you call SAMLIdentityProvider.InitiateSLO a logout request is sent. SimplSAMLphp only checks for relay state if it’s receiving a logout response, not a logout request. From the error message, it sounds like a logout response is being sent. The SAMLIdentityProvider.SendSLO method sends a logout response. Please double check InitiateSLO is being called rather than SendSLO.
If there’s still an issue, please enable SAML trace and send the generated log file to support@componentspace.com mentioning this topic.

http://www.componentspace.com/Forums/45/SAML-HighLevel-API