We have a simple B2C user journey where the user authenticates via a 3rd party SAML Identity Provider and then does an api call to an external system based on the attributes received from the IdP. After completing the user journey the user should be logged out from the IdP. The IdP instructs that this should be done by sending a SAML LogoutRequest which includes the service provider EntityID and IssueInstant (timestamp), as well as the NameID and SessionIndex from the SAML Response. The IdP then returns a LogoutResponse.
The IdP metadata also includes a SingleLogoutService url with bindings for HTTP-POST and HTTP-Redirect.
How can we send the LogoutRequest from B2C to the IdP? The preferable way would be to launch the LogoutRequest directly from the B2C user journey. If this is not possible, we can also send the LogoutRequest from our application. To achieve this, B2C should be able to collect the SessionIndex as a claim from the SAML Response.
However, according to the B2C documentation, only attributes from the AttributeStatement of the SAML Response can be collected as output claims. The SessionIndex is included in the AuthnStatement of the SAML Response:
<saml2:AuthnStatement AuthnInstant="2023-02-14T14:40:02.726Z" SessionIndex="_5fb496b49e1b00b902e63ed857c4fdea">
My SAML IdP technical profile and session management profile are as follows:
<TechnicalProfile Id="SAML2-IdP">
<DisplayName>SAML IdP</DisplayName>
<Description>SAML IdP</Description>
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="PartnerEntity">https://.../metadata.xml</Item>
<Item Key="WantsSignedRequests">true</Item>
<Item Key="XmlSignatureAlgorithm">Sha256</Item>
<Item Key="WantsEncryptedAssertions">true</Item>
<Item Key="ResponsesSigned">false</Item>
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
<Item Key="SingleLogoutEnabled">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSecret"/>
<Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_SAMLSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userId" PartnerClaimType="userId" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
...
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
</TechnicalProfile>
<ClaimsProvider>
<DisplayName>Session Management</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SM-Saml-idp">
<DisplayName>Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IncludeSessionIndex">false</Item>
<Item Key="RegisterServiceProviders">false</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
I have also tried setting IncludeSessionIndex and RegisterServiceProviders to “true” but this didn't seem to change anything.
Is there a way to extract the SessionIndex in order to build the payload for SAML LogoutRequest or even better, can we somehow trigger B2C to always launch the LogoutRequest at the end of the journey, based on the data it received from the SAML Payload, and the IdP metadata?
