Reputation: 122
SAML 2.0 Logout SP initiated using ITfoxtec.Identity.Saml2
Premise: I'm pretty new to using SAML2.0 and the library ITfoxtec.Identity.Saml2. In my scenario I have implemented a web application in asp.net core, basically based on the examples contained in the library as TestWebAppCore. As IDP I have used Keyloack and Okta. I have no problem with login. My problems rise with logout. I have no problem when logout is initiated by the IDP: I have configured on IDP the endpoint for Single Log Out (SingleLogout web Api) and everything works well My problem is when is my web app to initiate logout. The workflow is the following: somewhere in my page there is a logout button which invoke logout Web-Api
[HttpPost("Logout")]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout()
{
if (!User.Identity.IsAuthenticated)
{
return Redirect(Url.Content("~/"));
}
var binding = new Saml2PostBinding();
var saml2LogoutRequest = await new Saml2LogoutRequest(config, User).DeleteSession(HttpContext);
return binding.Bind(saml2LogoutRequest).ToActionResult();
}
The problem does not seem to be here however. The problem is that the IDP call always SingleLogOut Web API. I think that this is not correct in this case: In this case IDP has to call the LoggedOut Web API
[Route("LoggedOut")]
public IActionResult LoggedOut()
{
var binding = new Saml2PostBinding();
binding.Unbind(Request.ToGenericHttpRequest(), new Saml2LogoutResponse(config));
return Redirect(Url.Content("~/"));
}
Of course in this case the following exception will be raised "HTTP Form does not contain SAMLRequest"
The problem is that I don't find a way to configure LoggedOut end point on the IDP.
My question is: is there somethig wrong in the way I initiate logout from my Web-app? Or is there a is a way from the code to set in the request the end point (Loggedout) where the IDP has to call me? Or it is definitely something wrong in my IDP configuration in this case someone knows other IDP that can I use for testing?
Upvotes: 2
Views: 1553
Answers (1)
Reputation: 4334
The problem is probably that you IdP do not support two logout endpoint, which is: Location and ResponseLocation.
You can support one logout endpoint (Location) in your application (relying party) by reading the request to se if it is a SAML 2.0 Request or SAML 2.0 Response.
The reading code looks something like this:
var genericHttpRequest = Request.ToGenericHttpRequest();
if (new Saml2PostBinding().IsResponse(genericHttpRequest) || new Saml2RedirectBinding().IsResponse(genericHttpRequest))
{
// Do logged out.
}
else
{
// Do single logout
}
Upvotes: 2
Related Questions
- Not able to SignOut using Saml2 from Sustainsys
- ITfoxtec SAML 2.0 and .NET ASPX application (not MVC)
- How to Implement SAML Single Logout request from a microservice
- User.Identity.IsAuthenticated Always false in SAML 2.0 using ITFoxtec
- ITfoxtec SAML 2.0 Session TimeOut
- IdP endpoint for SAML logout response after an IdP initiated logout request using HTTP redirect binding
- How to implement single logout using http-redirect
- OneLogin SAML logout functionality
- In ASP.Net, where should I check the IdP in SAML SP to check if the user Logged out?
- SAML 2.0 LogoutRequest