In my testing, my IdP's SLO page is getting invoked when the SP logs out, which is what I expected.
In the URL, a SAMLRequest variable is getting passed, something like
http://localhost/IdpSamlLogout.aspx?SAMLRequest=nZJfa4MwF ....
What can I do with this SAMLRequest variable? Can I get information about the SP that logged out? If so, how?
The SAMLRequest is the SAML logout request encoded using the HTTP-redirect binding. The logout request includes an issuer which identifies the service provider that sent the logout request.
If you use the SAML high-level API the processing of the logout request including decoding the message etc is handled automatically. The ExampleIdentityProvider and ExampleServiceProvider projects demonstrate this.
If you use the low-level API then you can call SingleLogoutService.ReceiveLogoutMessageByHTTPRedirect which will receive and decode the logout request. The low-level API SAML2IdentityProvider project demonstrates how to make this call.
However, you are best to use the high-level API if possible as it is easier to use and requires less code in your application.
Yes, we want to use the high level API.
In my testing, if I have an entry like
SingleLogoutServiceUrl=http://localhost/SSO/IdpSamlLogout.aspx?entryId=foursquare
in my PartnerIdentityProvider, when I issue the InitiateSLO command, the entryId=foursquare parm is replaced by the SAMLRequest parm.
Unfortunately, the IdP in real life wants that entryId=foursquare parm. Is there any way to do this?
The entryID=foursquare should be retained.
Could you please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning this topic?http://www.componentspace.com/Forums/17/Enabing-SAML-Trace