1

I have implemented the multi-tenant SAML SSO in my application. I am using a Single Page Application application with the UI in AngularJS, Web API (for assertion URL), and a microservice for creating and handling the SAML requests. I am using the Itfoxtech library in my microservice.

I have implemented the SAML SSO Login successfully and it is working fine. However, I am facing issues while implementing the SAML Single Logout. On SAML Assertion, I am just extracting few claims and returning these to Web API. On Logout, it seems that I need the ClaimsIdentity and HttpContext. I have persisted ClaimsIdentity during the SAML Assertion and re-using it during the Logout but I don't have access to HttpContext. I have created a custom httpContext from DefaultHttpContext and tried to execute the following line of code,

var saml2LogoutRequest = await new Saml2LogoutRequest(config, User).DeleteSession(HttpContext);

but it gives an error,

No sign-out authentication handlers are registered. Did you forget to call AddAuthentication().AddCookies

My question is that how to perform a single logout without using the HttpContext or if it is required then how to manually create it?

Adnan Yaseen
  • 833
  • 1
  • 15
  • 44

1 Answers1

1

Doing logout SAML 2.0 need NameID, NameID format and session index. To achive this you can polulate the ClaimsIdentity with the claims: Saml2ClaimTypes.NameId, Saml2ClaimTypes.NameIdFormat and Saml2ClaimTypes.SessionIndex.

In the case of single logout you only need to validate the request:

Saml2StatusCodes status;
var requestBinding = new Saml2PostBinding();
var logoutRequest = new Saml2LogoutRequest(config, User);
try
{
    requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
    status = Saml2StatusCodes.Success;
    //TODO handle logout
}
catch (Exception exc)
{
    // log exception
    Debug.WriteLine("SingleLogout error: " + exc.ToString());
    status = Saml2StatusCodes.RequestDenied;
}

and respond:

var responsebinding = new Saml2PostBinding();
responsebinding.RelayState = requestBinding.RelayState;
var saml2LogoutResponse = new Saml2LogoutResponse(config)
{
    InResponseToAsString = logoutRequest.IdAsString,
    Status = status,
};
return responsebinding.Bind(saml2LogoutResponse).ToActionResult();

You do not need to call the DeleteSession(HttpContext) but you need to handle logout somehow.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25