SP Initiated SLO
Highlevel API example, webforms
I noticed the code example has 4 variables, 2x null
SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);
While the delopers guide only implies 3 variables
The InitiateSLO method sends a logout request to the identity provider as part of SPinitiatedSLO.For example:
SAMLServiceProvider.InitiateSLO( Response, null,null);
The Response is used to send the logout request to the service provider via the browser.
The second parameter is the logout reason or null if none.
The third parameter is the partner identity provider’s name or null if there’s only oneconfigured partner identity provider.
===
My question is what is contained in the response?
I have a project, SP Init SSO.
When the user logins into IDP, a authNresponse is sent back.
The catch is that I use the email attribute that is sent back instead of the nameid to authenticate against my web app.
My FormsAuthentication cookie is the username that is previously set to the email.
I’m wondering if when i send a response back if the SLO resposnse if that contains a session ID or if it’s sending the username / nameid back to the IDP to logoff?
Let me know if that question makes sense -
Thx again,
Thanks for pointing this out. I’ll see that the Developer Guide is updated.
The SAMLServiceProvider class includes the following InitiateSLO overloads.
public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState)
public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState, string partnerIdP)
The relayState parameter was added.
This allows relay state to be included with the logout request.
As per the SAML specification, the logout request will include the Name ID and session index.
This should be sufficient for the IdP to identify and logout the user.
The SAMLServiceProvider class includes the following InitiateSLO overloads.
public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState)
public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState, string partnerIdP)
The relayState parameter was added.
This allows relay state to be included with the logout request.
As per the SAML specification, the logout request will include the Name ID and session index.
This should be sufficient for the IdP to identify and logout the user.
Just to clarify does it work like this:
Receive AuthNResponse
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
Does the "username" correspond to the NameID
Then authentication is marked successful
FormsAuthentication.SetAuthCookie(userName, false);
What happens if after this is done, I replace username with a different attribute (such as email).
Then recall: FormsAuthentication.SetAuthCookie(userName, false);
Then then the user signs out.
Does
SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);
Send the NameId from the session still or is it pulling from the cookie username variable?
Thx again!
josh
We store the NameID in the internal SAML session state. This is what’s included in the logout request.
We don’t use the FormsAuthentication.SetAuthCookie value etc.
Perfect - thanks very much
You’re welcome.