2

I am using the library ITfoxtec Identity SAML 2.0 to implement SAML 2.0 with an ASP.Net 4.6 MVC App and a 3rd party IdP that only supports http-redirect single logout. I am able to login, but I can't get the single logout to work. The sample only use http-post to logout. Is there any sample code that is publicly available that shows how to implement a single logout using http-redirect?

Thanking you in advance for your help!

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
Tonybot
  • 23
  • 1
  • 3

1 Answers1

1

Logout with redirect binding can be supported with small changes by changing the binding class Saml2PostBinding to Saml2RedirectBinding. The following is based on the ITfoxtec Identity SAML 2.0 documentation.

Logout method in the Auth Controller

[HttpPost("Logout")]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout()
{
    if (!User.Identity.IsAuthenticated)
    {
        return Redirect(Url.Content("~/"));
    }

    var binding = new Saml2RedirectBinding();
    var saml2LogoutRequest = await new Saml2LogoutRequest(config, User).DeleteSession(HttpContext);
    return binding.Bind(saml2LogoutRequest).ToActionResult();
}

LoggedOut method in the Auth Controller After successfully or failing logout the logged out method receive the response.

[Route("LoggedOut")]
public IActionResult LoggedOut()
{
    var binding = new Saml2RedirectBinding();
    binding.Unbind(Request.ToGenericHttpRequest(), new Saml2LogoutResponse(config));

    return Redirect(Url.Content("~/"));
}

SingleLogout method in the Auth Controller Receives a Single Logout request and send a response.

[Route("SingleLogout")]
public async Task<IActionResult> SingleLogout()
{
    Saml2StatusCodes status;
    var requestBinding = new Saml2RedirectBinding();
    var logoutRequest = new Saml2LogoutRequest(config, User);
    try
    {
        requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
        status = Saml2StatusCodes.Success;
        await logoutRequest.DeleteSession(HttpContext);
    }
    catch (Exception exc)
    {
        // log exception
        Debug.WriteLine("SingleLogout error: " + exc.ToString());
        status = Saml2StatusCodes.RequestDenied;
    }

    var responsebinding = new Saml2RedirectBinding();
    responsebinding.RelayState = requestBinding.RelayState;
    var saml2LogoutResponse = new Saml2LogoutResponse(config)
    {
        InResponseToAsString = logoutRequest.IdAsString,
        Status = status,
    };
    return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
}
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    Hi...when I logout from the webapp...it is redirecting back to the singlelogout method...it is failing since the logout has already occured. in the SingleLogout setting on the IDP i have the slo endpoint https://localhost:44327/Auth/SingleLogout....I thought this was only called when another saml2 app loggedout – Tonybot Aug 21 '20 at 02:56
  • Then the IdP configuration needs to be changed it should return to the LoggedOut endpoint after logout. There are probably two logout fields, one for LoggedOut (maybe called response) and one for SingleLogout (maybe called request). – Anders Revsgaard Aug 21 '20 at 09:42
  • 1
    Thanks....so if I want to include this in an existing .ASPNet 4.5.2 application do I need to only include the ITfoxtec.Identity.Saml2 and TestIdPCore projects? As for the dependencies what is the bare minumum framework? I see .NETCoreApp 2.1, .NETCoreApp 2.2, .NETCoreApp 3.0, .NETCoreApp 3.1, .NETFramework 4.6.2, .NETFramework 4.7.2 and .NETStandard 2.1 included in the soluction. Right now this application is usung VS 2017 wich only supports up to .NET Core 2.0, 1.1 and 1.0 and it doesn't support .NETStandard 2.1...will I have to upgrade to VS 2019? – Tonybot Aug 22 '20 at 03:13
  • You need ITfoxtec.Identity.Saml2 and ITfoxtec.Identity.Saml2.Mvc, the minimum .NET Framework is 4.6.2. You can look at the sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCoreFramework – Anders Revsgaard Aug 24 '20 at 18:46
  • 1
    Hello, The third party IDP I am using only supports sha1 certificates. RsaSha1Signature is defined as "http://www.w3.org/2000/09/xmldsig#rsa-sha1" in Saml2Securitylgorthim.cs but when I used OpenSsl to create a sha1 certificate it's created with the algorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha1". I tried updating the RsaSha1Signature in Saml2Securitylgorthim.cs to http://www.w3.org/2001/04/xmldsig-more#rsa-sha1, but I keep getting a "SignatureDescription could not be created for the signature algorithm supplied." error in the ComputeSignature function. how to get past this? – Tonybot Sep 03 '20 at 03:20
  • The SHA1 hash is "http://www.w3.org/2000/09/xmldsig#rsa-sha1", a full url with http. You do not have to change the certificate to use SHA1 as the SAML 2.0 hash algoritme. – Anders Revsgaard Sep 04 '20 at 11:59
  • 1
    Thank you for the help...is there a non-Federated session authentication option? We are having issues with our API being behind a FederatedAuthentication. Our anonymous open endpoints api methds are being blocked because it requires a FedAuth and FedAuth1 cookie to be included in the headers. Is there anyway around it? – Tonybot Sep 15 '20 at 21:33
  • No the component use the .NET identity session which is cookie based. – Anders Revsgaard Sep 17 '20 at 07:15