c#, .Net Core 3.1
I know this question has come up many times, and it looks like people often accidentally expire a session before the SLO. However, my session looks fine at the SLO, but I get:
[left] 2020-05-21 17:14:42,282 DEBUG ComponentSpace.Saml2.SamlProvider.? [?] - MESSAGE: Constructing a logout request.
2020-05-21 17:14:42,284 ERROR ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: Initiation of SLO to the partner identity provider has failed.
ComponentSpace.Saml2.Exceptions.SamlProtocolException: There is no SSO session to partner [IdP URL] to logout.[/left]
I can see the session in the DB, and I can see the session cookie is still there, fail here:
await _samlServiceProvider.InitiateSloAsync(relayState: returnUrl);
In startup.cs, I have
services.AddDistributedSqlServerCache(options =>
{
options.ConnectionString = Configuration.GetConnectionString(“myDB”);
options.SchemaName = “dbo”;
options.TableName = “myCache”;
options.DefaultSlidingExpiration = new TimeSpan(1,0,0);
});
and shortly after that:
services.Configure(options => { options.CookieName = “saml-session”; });
services.AddSaml(Configuration.GetSection(“SAML”));
The SSO works fine, just the SLO fails.
What am I missing?
Does the saml-session cookie have the same value at SSO and SLO?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the application start-up, SSO and failing SLO are included in the log.
[quote][/quote]
Does the saml-session cookie have the same value at SSO and SLO?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the application start-up, SSO and failing SLO are included in the log.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the application start-up, SSO and failing SLO are included in the log.
I saw another forum post about adding the cache config AFTER the AddSaml config, so I tried that, and see slightly different results:
2020-05-22 10:37:13,628 DEBUG ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: Initiating SLO to the partner identity provider.
2020-05-22 10:37:13,628 DEBUG ComponentSpace.Saml2.Session.DistributedSsoSessionStore.? [?] - MESSAGE: The SSO session ID 769893d0-0d1c-4060-a99e-72568db5f6bf has been retrieved from the saml-session cookie.
2020-05-22 10:37:13,630 DEBUG ComponentSpace.Saml2.SamlProvider.? [?] - MESSAGE: SAML session state (769893d0-0d1c-4060-a99e-72568db5f6bf):
SP state:
Pending response state:
Action: ReceiveLogoutResponse
Partner name: [Idp URL]
Relay state:
In response to: _72dc29a4-613a-4637-a361-2aa668fd2027
2020-05-22 10:37:13,630 DEBUG ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: The pending SAML action ReceiveLogoutResponse is being overridden.
2020-05-22 10:37:13,630 DEBUG ComponentSpace.Saml2.SamlProvider.? [?] - MESSAGE: Constructing a logout request.
2020-05-22 10:37:13,631 ERROR ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: Initiation of SLO to the partner identity provider has failed.
ComponentSpace.Saml2.Exceptions.SamlProtocolException: There is no SSO session to partner [IdP URL] to logout.
at ComponentSpace.Saml2.SamlProvider.CreateLogoutRequestAsync(String logoutReason)
at ComponentSpace.Saml2.SamlServiceProvider.InitiateSloAsync(String partnerName, String logoutReason, String relayState)
2020-05-22 10:37:13,634 ERROR eOPSNextGen.UI.Common.Logger.? [?] - MESSAGE: at ComponentSpace.Saml2.SamlProvider.CreateLogoutRequestAsync(String logoutReason)
at ComponentSpace.Saml2.SamlServiceProvider.InitiateSloAsync(String partnerName, String logoutReason, String relayState)
...not sure what this means,
I will try your suggestions next.
Thanks
[quote][/quote]
Does the saml-session cookie have the same value at SSO and SLO?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the application start-up, SSO and failing SLO are included in the log.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the application start-up, SSO and failing SLO are included in the log.
I saw another forum post about adding the cache config AFTER the AddSaml config, so I tried that, and see slightly different results:
2020-05-22 10:37:13,628 DEBUG ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: Initiating SLO to the partner identity provider.
2020-05-22 10:37:13,628 DEBUG ComponentSpace.Saml2.Session.DistributedSsoSessionStore.? [?] - MESSAGE: The SSO session ID 769893d0-0d1c-4060-a99e-72568db5f6bf has been retrieved from the saml-session cookie.
2020-05-22 10:37:13,630 DEBUG ComponentSpace.Saml2.SamlProvider.? [?] - MESSAGE: SAML session state (769893d0-0d1c-4060-a99e-72568db5f6bf):
SP state:
Pending response state:
Action: ReceiveLogoutResponse
Partner name: [Idp URL]
Relay state:
In response to: _72dc29a4-613a-4637-a361-2aa668fd2027
2020-05-22 10:37:13,630 DEBUG ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: The pending SAML action ReceiveLogoutResponse is being overridden.
2020-05-22 10:37:13,630 DEBUG ComponentSpace.Saml2.SamlProvider.? [?] - MESSAGE: Constructing a logout request.
2020-05-22 10:37:13,631 ERROR ComponentSpace.Saml2.SamlServiceProvider.? [?] - MESSAGE: Initiation of SLO to the partner identity provider has failed.
ComponentSpace.Saml2.Exceptions.SamlProtocolException: There is no SSO session to partner [IdP URL] to logout.
at ComponentSpace.Saml2.SamlProvider.CreateLogoutRequestAsync(String logoutReason)
at ComponentSpace.Saml2.SamlServiceProvider.InitiateSloAsync(String partnerName, String logoutReason, String relayState)
2020-05-22 10:37:13,634 ERROR eOPSNextGen.UI.Common.Logger.? [?] - MESSAGE: at ComponentSpace.Saml2.SamlProvider.CreateLogoutRequestAsync(String logoutReason)
at ComponentSpace.Saml2.SamlServiceProvider.InitiateSloAsync(String partnerName, String logoutReason, String relayState)
...not sure what this means,
I will try your suggestions next.
Thanks
[/quote]
One more little update:
Cookie on login : 769893d0-0d1c-4060-a99e-72568db5f6bf
Cookie on logout: 769893d0-0d1c-4060-a99e-72568db5f6bf
myCache DB entry: saml-session-769893d0-0d1c-4060-a99e-72568db5f6bf-SamlState
All appear to be the same.
Thanks for sending the log. I’ve replied to your email. It looks like InitiateSloAsync is being called multiple times. The sequence should be a single call to InitiateSloAsync to create and send a logout request to the partner IdP followed by a call to ReceiveSloAsync, at your single logout service endpoint, to receive and process the logout response.
[quote][/quote]
Thanks for sending the log. I've replied to your email. It looks like InitiateSloAsync is being called multiple times. The sequence should be a single call to InitiateSloAsync to create and send a logout request to the partner IdP followed by a call to ReceiveSloAsync, at your single logout service endpoint, to receive and process the logout response.
It turned out to be because I did not have [AllowAnonymous] on the SingleLogoutService, so the application would think the user needed to login, so it did an SSO login.
I think I have this working now, so thanks!
Thanks for the update.