2

I am using Sustainsys Saml2 with Identity Server 4. A customer has asked me if we support support SAML Single Logout.

They have asked for:

  1. Single Logout Request URL
  2. Single Logout Response URL

From what I can see this is probably supported by Sustainsys given the following properties exist.

 var idp = new Sustainsys.Saml2.IdentityProvider(new EntityId("https://sso.acme.com"), opt.SPOptions)
                        {
MetadataLocation = "/metadata/sso-meta.xml",
                        LoadMetadata = true,
                        AllowUnsolicitedAuthnResponse = true,
                            SingleLogoutServiceResponseUrl = "INSERT",
                            SingleLogoutServiceBinding = Saml2BindingType.HttpRedirect
                        };

I have two questions:

  1. I can only see one property which matches their request - the SingleLogoutServiceResponseUrl (I don't see a property for the SingleLogoutServiceRequestUrl). How do I configure the Single logout request Url?
  2. How do I determine what the values are for these Url's?

Thanks

Fanetic
  • 522
  • 5
  • 15

1 Answers1

4
  1. Outbound logout requests are sent to the SingleLogoutUrl configured on the Idp. The SingleLogoutResponseUrl is a special one - it's only used when responses should be sent to a different endpoint on the Idp than requests. Normally they are the same and if SingleLogoutResponseUrl is not set, the SingleLogoutUrl is used for both responses and requests.
  2. Ask the Idp people for those.

And as an additional note: You're loading metadata. Then everything should already be in the metadata and you can shorten your code to

var idp = new Sustainsys.Saml2.IdentityProvider(new 
EntityId("https://sso.acme.com"), opt.SPOptions)
{
     MetadataLocation = "/metadata/sso-meta.xml",
     AllowUnsolicitedAuthnResponse = true,
};
dckuehn
  • 2,427
  • 3
  • 27
  • 37
Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • if I add `Binding = Saml2BindingType.HttpPost` will this be honoured or is the setting taken from the sso-meta.xml file? The situation I have is that the sso-meta.xml file has entries for both HttpRedirect and HttpPost and it always uses HttpRedirect regardless of whether I add in `Binding = Saml2BindingType.HttpPost` or not. EDIT - I just removed the entries for HttpRedirect from the sso-meta.xml and it now just uses HttpPost. – Fanetic Apr 30 '18 at 13:37
  • 1
    If both POST and Redirect are available it will prefer Redirect. Settings in the metadata file will override manual settings when the file contents are refreshed after a few minutes. – Anders Abel May 02 '18 at 07:50
  • "If you are using Single Logout, you need to make sure that the claims containing the Saml2 logout information are present in the returned identity. The types of the claims are available in Saml2ClaimTypes.SessionIndex and Saml2ClaimTypes.LogoutNameIdentifier" - I understand what this means but can't figure out where to add them? With all other authentication providers I can tie into an event which allows me to update the context with the claims. From what I can see Saml2 has both Events and Notifications however I can't figure out how to hook into them. I've trawled through the samples. – Fanetic Jul 16 '18 at 07:08
  • 2
    Solved it. The issue was SignInManager.SignInAsync rebuilds the principal and we were losing claims. Fixed by creating a custom SignInManager (that adds required claims in required format) as per this example - https://www.stevejgordon.co.uk/extending-the-asp-net-core-identity-signinmanager – Fanetic Jul 18 '18 at 05:56
  • I still don't get where and how I should add these two claims SessionIndex and LogoutNameIdentifier. Did you figure that out? Can't find an example showing how to configure Logout. – Arturio Nov 21 '19 at 17:16