Hello Guys,
In our project, It is required to logout SAML during Server Timeout (ASP Session Timeout). The first thing I tried is doing SAMLServiceProvider.InitiateSLO but upon this time of the call, SSO Information is no longer available. And then I tried doing the SAMLServiceProvider.InitiateSLO during Session_End before the ASP Session is gone, but the problem with this part is there is no available context already (null). I tried creating a dummy context but it also doesnt work and IDP doesnt respond from the request. We are using InProc and we really need to logout SAML on Server Timeout, Is there any way to do this?
Thanks,
Sonny
By default, we store SAML SSO session information in the ASP.NET session. This information is required to support SAML logout amongst other things.
If the ASP.NET session has been torn down then the call to SAMLServiceProvider.InitiateSLO will fail as the SSO session information also has been torn down.
Even if you successfully call SAMLServiceProvider.InitiateSLO during the Session_End event, the subsequent SAMLServiceProvider.ReceiveSLO call will fail.
However, even though the ReceiveSLO call fails, the SLO has completed in that the user should be logged out at the IdP.
If this is acceptable, you could simply catch any exception thrown by ReceiveSLO and continue your processing as if it had succeeded.
The alternative would be to store the SSO session information somewhere else other than the ASP.NET session.
However, you then have the problem of maintaining this and ensuring this separate storage is torn down when the ASP.NET session is torn down.
This could add quite a bit more complexity.
[quote][/quote]
By default, we store SAML SSO session information in the ASP.NET session. This information is required to support SAML logout amongst other things.
If the ASP.NET session has been torn down then the call to SAMLServiceProvider.InitiateSLO will fail as the SSO session information also has been torn down.
Even if you successfully call SAMLServiceProvider.InitiateSLO during the Session_End event, the subsequent SAMLServiceProvider.ReceiveSLO call will fail.
However, even though the ReceiveSLO call fails, the SLO has completed in that the user should be logged out at the IdP.
If this is acceptable, you could simply catch any exception thrown by ReceiveSLO and continue your processing as if it had succeeded.
The alternative would be to store the SSO session information somewhere else other than the ASP.NET session.
However, you then have the problem of maintaining this and ensuring this separate storage is torn down when the ASP.NET session is torn down.
This could add quite a bit more complexity.
If the ASP.NET session has been torn down then the call to SAMLServiceProvider.InitiateSLO will fail as the SSO session information also has been torn down.
Even if you successfully call SAMLServiceProvider.InitiateSLO during the Session_End event, the subsequent SAMLServiceProvider.ReceiveSLO call will fail.
However, even though the ReceiveSLO call fails, the SLO has completed in that the user should be logged out at the IdP.
If this is acceptable, you could simply catch any exception thrown by ReceiveSLO and continue your processing as if it had succeeded.
The alternative would be to store the SSO session information somewhere else other than the ASP.NET session.
However, you then have the problem of maintaining this and ensuring this separate storage is torn down when the ASP.NET session is torn down.
This could add quite a bit more complexity.
Hi, I tried the above solution. I'm getting 'Response is not available in this context.' when SAMLServiceProvider.InitiateSLO is invoked on Session_End event. I guess there needs to be valid HttpContext available for SLO to be successful. Please advise if there is any alternate solution for performing SLO on Session Timeout.
Thanks,
Baga
Hi Baga
Your understanding is correct. An HttpContext is required.
I suspect initiating SLO on the local session ending will be problematic and it’s not something we advise doing.