Hello,
I have an ASP .NET Core application that performs SP functionality where I need to present an error page to the user when error occurs and perform SLO. I’ve tried something like this on the error page:
Snippetvar ssoState = await this.samlServiceProvider.GetStatusAsync();
if (await ssoState.CanSloAsync())
{
await this.samlServiceProvider.InitiateSloAsync(“IdP”, “Error”);
}
Snippetreturn new EmptyResult();
My SAML controller logout route looks like this:
[Route(“LogOut”)]
public async Task SingleLogoutService()
{
var sloResult = await this.samlServiceProvider.ReceiveSloAsync();
if (sloResult.IsResponse)
{
if (!string.IsNullOrEmpty(sloResult.RelayState))
{
return LocalRedirect(sloResult.RelayState);
}
return RedirectToPage(“/Login”);
}
await this.HttpContext.SignOutAsync();
await this.samlServiceProvider.SendSloAsync();
return new EmptyResult();
}
The above code for “LogOut” route handles the logout request, but there doesn’t appear to be a way to determine if this a standard logout request or logout request due to an error page request. I thought I could set reason to something like “Error” when initiating SP logout, but I get empty reason when IdP redirects back to SP.
Is there a way to accomplish what I’m trying to do here?
Thank you in advance.Snippet
There are a couple of options.
You could set a flag in your application’s session state to remember the error status. This assumes you have ASP.NET Core session support enabled for your application.
The other option is to make use of the SAML relay state.
When you call samlServiceProvider.InitiateSloAsync, you can include the relayState parameter. This is an arbitrary, and opaque to the IdP, value that the IdP will return along with the SAML logout response. This could be set to a value indicating the error status.
When you call samlServiceProvider.ReceiveSloAsync, the ISloResult will include the relay state originally sent to the IdP.
You could set a flag in your application's session state to remember the error status. This assumes you have ASP.NET Core session support enabled for your application.
The other option is to make use of the SAML relay state.
When you call samlServiceProvider.InitiateSloAsync, you can include the relayState parameter. This is an arbitrary, and opaque to the IdP, value that the IdP will return along with the SAML logout response. This could be set to a value indicating the error status.
When you call samlServiceProvider.ReceiveSloAsync, the ISloResult will include the relay state originally sent to the IdP.
Thank you a quick reply. I don't have ASP .NET Core sessions enabled, and probably don't want them enabled at this time. I did also try passing error page URL in the relayState parameter, but that was also coming back as blank. Is relay state universal that every IdP has to support?
IdPs should support relay state as it’s part of the SAML specification.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/forums/7936/Enabling-SAML-Trace
We’ll take a look to confirm everything looks ok on the SP side.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/forums/7936/Enabling-SAML-Trace
We'll take a look to confirm everything looks ok on the SP side.
Got this resolved. It turned out that the IdP was not doing standard SLO sequence, so this isn't issue at all.
Thanks for you help.
You’re welcome.