Hi Team,
I have implemented SSO with office 365 and google.
When I try to log out from the application it redirects to the office 365 logout page and stays there if I SSO’ed in office 365.
I need need to get back to my application log out page after signing out from all service providers.
Below is my logout code.
public ActionResult LogOut()
{
SignoutManager.SignoutIdentityProvider();
if (SAMLIdentityProvider.IsSSO())
{
// Request logout at the service providers.
SAMLIdentityProvider.InitiateSLO(Response, null);
return new EmptyResult();
}
return RedirectToAction(“Index”, “Home”);
}
Please let me know what I am doing wrong here
After calling SAMLIdentityProvider.InitiateSSO, a SAML logout request is sent to the service provider which should log the user out locally and then return a logout response to the identity provider.
Unfortunately, for logout you’re reliant on each of the service providers returning a logout response.
In our testing with Office 365, we did see some issues which appeared to be Office 365 not properly supporting SAML logout.
We found that SP-initiated logout with Office 365 works.
However, IdP-initiated logout with Office 365 doesn’t work. Office 365 doesn’t return a logout response nor does it display an error.
I’m afraid your options are limited. It might be the best thing to do is not attempt SAML logout with Office 365.
[quote][/quote]
After calling SAMLIdentityProvider.InitiateSSO, a SAML logout request is sent to the service provider which should log the user out locally and then return a logout response to the identity provider.
Unfortunately, for logout you're reliant on each of the service providers returning a logout response.
In our testing with Office 365, we did see some issues which appeared to be Office 365 not properly supporting SAML logout.
We found that SP-initiated logout with Office 365 works.
However, IdP-initiated logout with Office 365 doesn't work. Office 365 doesn't return a logout response nor does it display an error.
I'm afraid your options are limited. It might be the best thing to do is not attempt SAML logout with Office 365.
Unfortunately, for logout you're reliant on each of the service providers returning a logout response.
In our testing with Office 365, we did see some issues which appeared to be Office 365 not properly supporting SAML logout.
We found that SP-initiated logout with Office 365 works.
However, IdP-initiated logout with Office 365 doesn't work. Office 365 doesn't return a logout response nor does it display an error.
I'm afraid your options are limited. It might be the best thing to do is not attempt SAML logout with Office 365.
So are you telling there is no way to do this?
We really need to log out from all service providers when we log out for our IDP.
Is there any hacks or workaround for this?
SAML logout requires all parties to do the right thing otherwise it isn’t completely successful.
This isn’t a shortcoming in our product but rather in the way SAML logout is defined by the SAML specification.
The reason for this is that control passes from the IdP to the SP and back again rather than control remaining at the IdP with discrete calls to the SPs.
Unfortunately from our experience Office 365 doesn’t correctly support IdP-initiated SAML logout although it does support SP-initiated logout correctly.
For IdP-initiated logout a SAML logout request is sent to Office 365 but the user isn’t logged out of Office 365 and the browser is redirected to the Office 365 home page.
Can you confirm that SP-initiated logout works (ie initiating logout from Office 265 will also log you out from your identity provider application)?
You’re welcome to enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I’d like to see the successful SSO and failing SAML logout.
Please mention this forum post.