SAML sessions and SLO

luca-deepf · December 2, 2024, 11:06pm

I’ve been using the library using a custom resolver for the sessions from the database. All is working fine until I need to ensure that SLO is working (so far it wasn’t). Tried several approaches, the best result so far was given by the following setup


// https://docs.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core
builder.Services.AddApplicationInsightsTelemetry();

builder.Services.Configure<CookiePolicyOptions>(options =>
{
    // SameSiteMode.None is required to support SAML SSO.
    options.MinimumSameSitePolicy = SameSiteMode.None;
});

builder.Services.ConfigureApplicationCookie(options =>
{
    // Use a unique identity cookie name rather than sharing the cookie across applications in the domain.
    options.Cookie.Name = "DatabaseServiceProvider.Identity";

    // SameSiteMode.None is required to support SAML logout.
    options.Cookie.SameSite = SameSiteMode.None;
});
builder.Services.AddDistributedSqlServerCache(options =>
{
    options.ConnectionString = builder.Configuration["ConnectionStrings:Db"];
    options.SchemaName = "Integrations";
    options.TableName = "SamlCache";
    options.ExpiredItemsDeletionInterval = TimeSpan.FromDays(30);
});
builder.Services.AddSaml();
builder.Services.Configure<SamlConfigOptions>(builder.Configuration.GetSection("Saml"));
builder.Services.AddScoped<SamlConfigService>();
builder.Services.AddTransient<ISamlConfigurationResolver, CustomConfigurationResolver>();
builder.Services.AddDbContext<IdentityDbContext>(options =>
    options.UseSqlServer(builder.Configuration["ConnectionStrings:Db"]));

builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddSession(options =>
{
    options.Cookie.Name = "saml-session";
    options.IdleTimeout = TimeSpan.FromSeconds(100);
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.IsEssential = true;
});

The session is correctly generated:

The issue however is that upon logout I get
SSO Session not found, cannot execute Single Logout. Exception: There is no SSO session to partner XXXX to logout.

while I can see that the partner is in the value of the second cache I shared.

Now, I’ve seen some other posts (like Distributed Cache Session using Redis - #2 by ComponentSpace) mentioning the order of items does change the outcome, so I’m wondering if that can be the case here? Putting the distributed cache initialisation after AddSaml() as recommended causes the partner configuration to not be found even during SSO. I also noticed (through a custom implementation of ISsoSessionStore) that the session changes more often than I would expect, so that might also be the reason? However the setup being tested is quite conservative:

builder.Services.AddSession(options =>
{
    options.Cookie.Name = "saml-session";
    options.IdleTimeout = TimeSpan.FromSeconds(100);
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.IsEssential = true;
});

Running on version 4.3

ComponentSpace · December 3, 2024, 1:03am

I’m not sure why you’re specifying “saml-session” as the cookie name when calling ‘builder.Services.AddSession’.

We use a separate cookie to maintain state in support of the SAML protocol. Its default name is “saml-session”.

This is separate from the ASP.NET Core session cookie that you’re configuring by calling ‘builder.Services.AddSession’.

These cookies should have different names. I suggest either leaving the default name or specifying a different name for the ASP.NET Core session cookie.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

luca-deepf · December 4, 2024, 3:21pm

Hello,

I did the cookie name change fix, could you please whitelist my email, it’s being blocked by the spam filter

Thanks

ComponentSpace · December 4, 2024, 11:46pm

I didn’t find any record of your emails being blocked.

Do you mean email being sent to an @componentspace.com account or emails associated with this forum?

What error is being returned by the spam filter?

When did this occur?

Thanks.

luca-deepf · December 5, 2024, 9:04am

Hello,

I got a Undelivered Email Returned to Sender when trying to send the traces to your support email on 04/12 2:55PM UTC

This is the mail system at host pe-c.jellyfish.systems.

I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

The mail system

<support@componentspace.com>: host mx.spamexperts.com[38.109.53.20] said: 550

The sending IP (63.250.43.123) is listed on htt ps://spamrl.com/. Please

resolve this and retry. (in reply to end of DATA command).

I can try contacting you from another email

ComponentSpace · December 5, 2024, 10:50pm

We’ve whitelisted your domain.

We received your email from the other domain without any issues and will reply to that.

ComponentSpace · December 5, 2024, 11:19pm

I’ve replied to your email.

The saml-session cookie isn’t included with the HTTP request to the endpoint where you initiate SLO. This cookie is marked as Secure and SameSite=None so please ensure the endpoint is accessed using HTTPS.

If there’s still an issue, I’ve included instructions in the email for using the browser developer tools to capture the network traffic to see why the browser isn’t sending the cookie.

Check the "show filtered out request cookies" flag and hover over the icon to see the reason for the browser not sending the cookie.