SLO throws an error: "A logout response was unexpectedly received." after upgrade from version 2.8.2.0 to 3.3.0.0

SAML for ASP.NET
1

Hi,
I did upgrade from SAML version 2.8.2.0 to 3.3.0.0 and SLO stopped working for me.
Locally I have 2 sites one acting as IdP (siteA) and other as SP (siteB).
I can perform SSO successfully from IdP to SP and vice versa. However, on SLO either from IdP or SP initiated an exception is thrown “A logout response was unexpectedly received.”

Here is the flow

  1. Login to IdP
  2. SSO to SP
  3. Successfully logged in to SP
  4. IdP logout user, then send logout request to SP (SAMLIdentityProvider.InitiateSLO)
  5. SP receive SLO, logout user, send SLO response back to IdP (SAMLServiceProvider.SendSLO)
  6. IdP receive SLO response from SP and call to SAMLIdentityProvider.ReceiveSLO and throws an error. (Similarly, when SP initiate SLO, exception is thrown on SAMLServiceProvider.ReceiveSLO, after successfully logged out from SP and IdP)

Single Logout Service URL(s), where the SLO request and response are sent:
IdP: http://siteA.localhost/Saml/IdentityProvider/Logout
SP: http://siteB.localhost/Saml/ServiceProvider/Logout

The configuration for SAML is specified programmatically. Sessions are managed via DB.
I have tried your example projects for 3.3.0.0 and SLO works fine for me there.

Do you have any suggestions on what might cause the issue?
Thanks!

2
[quote]
Milan - 4/15/2019
Hi,
I did upgrade from SAML version 2.8.2.0 to 3.3.0.0 and SLO stopped working for me.
Locally I have 2 sites one acting as IdP (siteA) and other as SP (siteB).
I can perform SSO successfully from IdP to SP and vice versa. However, on SLO either from IdP or SP initiated an exception is thrown "A logout response was unexpectedly received."

Here is the flow
  1. Login to IdP
  2. SSO to SP
  3. Successfully logged in to SP
  4. IdP logout user, then send logout request to SP (SAMLIdentityProvider.InitiateSLO)
  5. SP receive SLO, logout user, send SLO response back to IdP (SAMLServiceProvider.SendSLO)
  6. IdP receive SLO response from SP and call to SAMLIdentityProvider.ReceiveSLO and throws an error. (Similarly, when SP initiate SLO, exception is thrown on SAMLServiceProvider.ReceiveSLO, after successfully logged out from SP and IdP)

Single Logout Service URL(s), where the SLO request and response are sent:
IdP: http://siteA.localhost/Saml/IdentityProvider/Logout
SP: http://siteB.localhost/Saml/ServiceProvider/Logout

The configuration for SAML is specified programmatically. Sessions are managed via DB.
I have tried your example projects for 3.3.0.0 and SLO works fine for me there.

Do you have any suggestions on what might cause the issue?
Thanks!
[/quote]

I found out that setting "DisablePendingLogoutCheck = true" to partner SP and IdP will prevent the exception. But I would like to get to the root of the problem, in production I don't want to set this flag.
3

It’s possible the SAML session state is being cleared and the “pending logout response” status is being lost.
This will be affected by where the SAML session state is stored.
By default we use a separate SAML session cookie but it’s also possible to store the SAMLs ession state in the ASP.NET session cookie.
Please enable SAML trace at both your IdP and SP and send the log files as email attachments to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the logs include the successful SSO and failing SLO.

4
[quote]
ComponentSpace - 4/15/2019
It's possible the SAML session state is being cleared and the "pending logout response" status is being lost.
This will be affected by where the SAML session state is stored.
By default we use a separate SAML session cookie but it's also possible to store the SAMLs ession state in the ASP.NET session cookie.
Please enable SAML trace at both your IdP and SP and send the log files as email attachments to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the logs include the successful SSO and failing SLO.
[/quote]

Hi, thank you I sent traces to the support email.
I am using custom implementation of SSOSessionStore to store sessions into DB. I tried to change the implementation to use cookies and then it worked as expected.

Please find bellow implementation of SSOSessionStore:

class SamlSessionStore : AbstractSSOSessionStore
{
public override void Delete(Type type)
{

}

public SamlSessionStore()
{
SessionIDDelegate = () => SessionHelper.SamlSessionId;
}

public override object Load(Type type)
{
var sessionObjectKey = CreateSessionIDForType(type);

var sessionObject = AMSqlHelper.ExecuteScalar(
CurrentInstanceHelper.InstanceConnStr,
CommandType.Text,
"SELECT [SessionObject] FROM [SSOSessions] WHERE [SessionID] = @sessionId",
new[]
{
new SqlParameter("@sessionId", sessionObjectKey)
});


return sessionObject == null ? null : Deserialize((byte[])sessionObject);
}

public override void Save(object ssoSession)
{
var sessionObjectKey = CreateSessionIDForType(ssoSession.GetType());

AMSqlHelper.ExecuteNonQuery(
CurrentInstanceHelper.InstanceConnStr,
"saml_SaveSession",
sessionObjectKey,
Serialize(ssoSession)
);
}
}


SSOSessions table then looks like as follows after successful SSO and failed SLO
IdP SSOSessions


SP SSOSessions


Thank you.
5

Thank you. I’ve replied to your email.

6
[quote]
ComponentSpace - 4/16/2019
Thank you. I've replied to your email.
[/quote]

Thank you for working it out via email.
I use ISAMLObserver to listen to SAML events (message sent, received, etc.), older implementation used AbstractSAMLObserver. The problem was in my Observer object which cased error, which failed silently, during InitiateSLO. This resulted in session state being not up to date and on ReceiveSLO throwing the error.
Best Regards, Milan
7

Thanks Milan for the update and sharing.