SAMLServiceProvider.InitiateSLO Not calling configured endpoint.

dana.nurse · February 13, 2019, 9:32am

I have a legacy WebForms application being wired up for SSO.
Currently this is using a mock IDP based on the webforms example identity provider.

SSO is functioning as expected.

However SLO is not.
On logging out, SAMLServiceProvider.InitiateSLO is called, but the mock endpoint is not called.
I can confirm that configuration is available, CanSLO returns true, and SAML session is available.
Even the logs claim that the call was made, yet the idp endpoint is never hit.

What am I missing?

log extract:
SSO session state:
Partner name: https://ExampleIdentityProvider
Name ID: <saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>lakkana.perera</saml:NameID>
Session index: _c8508a65-fbf8-4411-b592-9cab715d95a2

12052/20: 13/02/2019 17:16:44: SLO to partner identity providers can occur.
12052/20: 13/02/2019 17:16:44: Initiating SLO to the partner identity provider.
12052/20: 13/02/2019 17:16:44: Service provider session (c854e82a-b208-4226-8b39-ec2f6d99ef62) state:
SSO session state:
Partner name: https://ExampleIdentityProvider
Name ID: <saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>lakkana.perera</saml:NameID>
Session index: _c8508a65-fbf8-4411-b592-9cab715d95a2

12052/20: 13/02/2019 17:16:44: Sending request over HTTP Redirect, baseURL=https://localhost:44390/SAML/SLOService.aspx, samlMessage=<samlp:LogoutRequest ID=“_7a40f0be-f81d-466e-83e7-9c6ecf2e7e83” Version=“2.0” IssueInstant=“2019-02-13T17:16:44.215Z” Destination=“<a href=“https://localhost:44390/SAML/SLOService.aspx””>https://localhost:44390/SAML/SLOService.aspx" NotOnOrAfter=“2019-02-13T17:19:44.215Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://Ambertrack</saml:Issuer><saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>lakkana.perera</saml:NameID>samlp:SessionIndex_c8508a65-fbf8-4411-b592-9cab715d95a2</samlp:SessionIndex></samlp:LogoutRequest>, relayState=
12052/20: 13/02/2019 17:16:44: Creating HTTP redirect query string.
12052/20: 13/02/2019 17:16:44: Encoding SAML message: <samlp:LogoutRequest ID=“_7a40f0be-f81d-466e-83e7-9c6ecf2e7e83” Version=“2.0” IssueInstant=“2019-02-13T17:16:44.215Z” Destination=“<a href=“https://localhost:44390/SAML/SLOService.aspx””>https://localhost:44390/SAML/SLOService.aspx" NotOnOrAfter=“2019-02-13T17:19:44.215Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://Ambertrack</saml:Issuer><saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>lakkana.perera</saml:NameID>samlp:SessionIndex_c8508a65-fbf8-4411-b592-9cab715d95a2</samlp:SessionIndex></samlp:LogoutRequest>
12052/20: 13/02/2019 17:16:44: Encoded SAML message: nVJLa+MwEP4rRnfZluOnSAKBsGBIE9gsPfRSxvJ4Y2JLrkZe8vPXcVqatuweev34nswsCfpukDvz24zuJ76MSM4rtyv2nEEcNmGFvMlFzeM0RZ4vMOOFSlE1EWaYL5j3iJZao1cs8kPmlUQjlpocaDdBoSh4GHGx+CUyKVIZx34kkifmbaeUVoOblSfnBpJB0BkF3cmQm3iLIgyOm4ddcNwdjmj/tAp9oOHCvL1xB32wm8ah/RJRvEdc+k6TnNet2Gi1NEAtSQ09knRKXt3lVFoO1jijTMfWyytbzhvsnf7/ciBCex3C1m9DNn01QRbUeRncWb767yeLcuv9MLYH929v4YsZaWvezFQ5ahpQtU2LNftOvQ7OZ9DgD2jRwmu1W5tbtUEeka7XLHWNl/WzypMwhzThTdXkPI6F4FVSRNMHQJWJpC4SiG42n5Rv4IevWv8F
12052/20: 13/02/2019 17:16:44: Query string: SAMLRequest=nVJLa%2BMwEP4rRnfZluOnSAKBsGBIE9gsPfRSxvJ4Y2JLrkZe8vPXcVqatuweev34nswsCfpukDvz24zuJ76MSM4rtyv2nEEcNmGFvMlFzeM0RZ4vMOOFSlE1EWaYL5j3iJZao1cs8kPmlUQjlpocaDdBoSh4GHGx%2BCUyKVIZx34kkifmbaeUVoOblSfnBpJB0BkF3cmQm3iLIgyOm4ddcNwdjmj%2FtAp9oOHCvL1xB32wm8ah%2FRJRvEdc%2Bk6TnNet2Gi1NEAtSQ09knRKXt3lVFoO1jijTMfWyytbzhvsnf7%2FciBCex3C1m9DNn01QRbUeRncWb767yeLcuv9MLYH929v4YsZaWvezFQ5ahpQtU2LNftOvQ7OZ9DgD2jRwmu1W5tbtUEeka7XLHWNl%2FWzypMwhzThTdXkPI6F4FVSRNMHQJWJpC4SiG42n5Rv4IevWv8F
12052/20: 13/02/2019 17:16:44: Redirect URL: https://localhost:44390/SAML/SLOService.aspx?SAMLRequest=nVJLa%2BMwEP4rRnfZluOnSAKBsGBIE9gsPfRSxvJ4Y2JLrkZe8vPXcVqatuweev34nswsCfpukDvz24zuJ76MSM4rtyv2nEEcNmGFvMlFzeM0RZ4vMOOFSlE1EWaYL5j3iJZao1cs8kPmlUQjlpocaDdBoSh4GHGx%2BCUyKVIZx34kkifmbaeUVoOblSfnBpJB0BkF3cmQm3iLIgyOm4ddcNwdjmj%2FtAp9oOHCvL1xB32wm8ah%2FRJRvEdc%2Bk6TnNet2Gi1NEAtSQ09knRKXt3lVFoO1jijTMfWyytbzhvsnf7%2FciBCex3C1m9DNn01QRbUeRncWb767yeLcuv9MLYH929v4YsZaWvezFQ5ahpQtU2LNftOvQ7OZ9DgD2jRwmu1W5tbtUEeka7XLHWNl%2FWzypMwhzThTdXkPI6F4FVSRNMHQJWJpC4SiG42n5Rv4IevWv8F
12052/20: 13/02/2019 17:16:44: Redirecting to: https://localhost:44390/SAML/SLOService.aspx?SAMLRequest=nVJLa%2BMwEP4rRnfZluOnSAKBsGBIE9gsPfRSxvJ4Y2JLrkZe8vPXcVqatuweev34nswsCfpukDvz24zuJ76MSM4rtyv2nEEcNmGFvMlFzeM0RZ4vMOOFSlE1EWaYL5j3iJZao1cs8kPmlUQjlpocaDdBoSh4GHGx%2BCUyKVIZx34kkifmbaeUVoOblSfnBpJB0BkF3cmQm3iLIgyOm4ddcNwdjmj%2FtAp9oOHCvL1xB32wm8ah%2FRJRvEdc%2Bk6TnNet2Gi1NEAtSQ09knRKXt3lVFoO1jijTMfWyytbzhvsnf7%2FciBCex3C1m9DNn01QRbUeRncWb767yeLcuv9MLYH929v4YsZaWvezFQ5ahpQtU2LNftOvQ7OZ9DgD2jRwmu1W5tbtUEeka7XLHWNl%2FWzypMwhzThTdXkPI6F4FVSRNMHQJWJpC4SiG42n5Rv4IevWv8F
12052/20: 13/02/2019 17:16:44: Request sent over HTTP Redirect.
12052/20: 13/02/2019 17:16:44: SAML message sent: partner=https://ExampleIdentityProvider, message=<samlp:LogoutRequest ID=“_7a40f0be-f81d-466e-83e7-9c6ecf2e7e83” Version=“2.0” IssueInstant=“2019-02-13T17:16:44.215Z” Destination=“<a href=“https://localhost:44390/SAML/SLOService.aspx””>https://localhost:44390/SAML/SLOService.aspx" NotOnOrAfter=“2019-02-13T17:19:44.215Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://Ambertrack</saml:Issuer><saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>lakkana.perera</saml:NameID>samlp:SessionIndex_c8508a65-fbf8-4411-b592-9cab715d95a2</samlp:SessionIndex></samlp:LogoutRequest>, relay state=, destination URL=https://localhost:44390/SAML/SLOService.aspx
12052/20: 13/02/2019 17:16:44: Service provider session (c854e82a-b208-4226-8b39-ec2f6d99ef62) state:
Pending response state:
Action: ReceiveLogoutResponse
Partner name: https://ExampleIdentityProvider
Relay state:
In response to: _7a40f0be-f81d-466e-83e7-9c6ecf2e7e83

12052/20: 13/02/2019 17:16:44: Initiation of SLO to the partner identity provider https://ExampleIdentityProvider has completed successfully.

ComponentSpace · February 13, 2019, 1:19pm

SAMLServiceProvider.InitiateSLO attempts to return a 302 redirect HTTP response to the browser.
This is the redirect to the IdP with the SAML logout request encoded in the query string.
If after calling SAMLServiceProvider.InitiateSLO your application writes to the HTTP response object, his replace the HTTP redirect.
Please ensure that you don’t update the HTTP response after calling SAMLServiceProvider.InitiateSLO.
Your code should simply return and let ASP.NET send the 302 redirect.
If there’s still an issue, I suggest using the browser developer tools to see what HTTP response is being returned.
This will help identify the code generating the HTTP response.