0

I've an MVC Application which uses IdentityServer4. In IdentityServer4, I registered SAML2 (SustainSys.SAML2) as the external Login provider. and Login works fine.

When user log out of the MVC application, it logs out from the MVC application but the log out for External Login Provider isn't triggering. I checked the LogOut method of my identity Server which does the redirect to External Authentication Scheme. but the redirect doesnt happen. 

  this triggers a redirect to the external provider for sign-out
    return SignOut(new AuthenticationProperties { RedirectUri = url }, 
    vm.ExternalAuthenticationScheme);

And here is the code where in i registered External Identity Provider for SAML. I've used Nuget package from SustainSys SAML. 

.AddSaml2(options =>
{
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;
    options.SPOptions = CreateSPOptions();
    var idp = new IdentityProvider(new EntityId(_strIDPEntityId), options.SPOptions)
    {
        AllowUnsolicitedAuthnResponse = true,
        Binding = Saml2BindingType.HttpRedirect,
        SingleSignOnServiceUrl = new Uri(_strSingleSignOnURL),
        SingleLogoutServiceBinding = Saml2BindingType.HttpRedirect,
        SingleLogoutServiceUrl = new Uri("https://devit-dev.onelogin.com/trust/saml2/http-redirect/slo/1111")

    };
    idp.SigningKeys.AddConfiguredKey(
    new X509Certificate2(
        AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "../../../App_Data/OneLogin.cer"));
    options.IdentityProviders.Add(idp);
});

Not sure what am i missing here. Appreciate any help.

Himal Patel
  • 387
  • 4
  • 19

1 Answers1

0

Check your logs, it should show you the decision process that ends up in a local logout. There are A LOT of things that need to be in place for a federated logout to work. You need a service certificate and you need some special claims. The latter will be simplified in a future compatibility release with Sustainsys.Saml2/IdSrv4

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Thanks, Yes it was missing the claims and due to that it wasn't signing out from External provider. However, Saml2 expect the signed logout response and I'm getting unsigned logout response and it fails. any switch to turn it off or to validate the response in some other way ? – Himal Patel Feb 14 '18 at 14:32