ComponentSpace

Forums



SAML Single Log Out issue


SAML Single Log Out issue

Author
Message
WeiC
WeiC
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 1, Visits: 5
We are having some issue with SLO. ComponentSpace.SAML2.dll we are using  is version 2.4.0.11, that we purchased a few years ago. When I looked at the developer guide online http://www.componentspace.com/Documentation/SAML%20v2.0%20Developer%20Guide.pdf, it is showing the following example for idP-Initiated SLO: 

5.1.4 SAMLIdentityProvider.InitiateSLOThe InitiateSLO method sends a logout request to each service provider in session as partof IdP-initiated SLO.For example: SAMLIdentityProvider.InitiateSLO( Response, null);.....

However, in the the library we are using, I couldn't find SAMLIdentityProvider.InitiateSLO. I can only find SingleLogoutService.SendLogoutRequestByHTTPPost. So we implemented using SingleLogoutService, but it doesn't work correctly. The request doesn't get posted at all and no error shows in the the log file neither. Below is the c# code we are using to implement SLO.

A La Carte and Feature Direct Reference Guide  public void SendSAMLSLORequest(string sessionId)
        {
            MetadataReader spReader = new MetadataReader(string.Format(SPMetadata, env));
            spReader.Process();

            MetadataReader idpReader = new MetadataReader(string.Format(IDPMetadata, env));
            idpReader.Process();

            LogoutRequest samlRequest = CreateSAMLRequest(spReader, idpReader, sessionId);
            SendSAMLRequest(samlRequest, spReader, idpReader, sessionId);

        }
private LogoutRequest CreateSAMLRequest(MetadataReader spReader, MetadataReader idpReader, string sessionIndex)
        {
            LogoutRequest result = new LogoutRequest();
            try
            {
                result.NameID = new NameID(client.OpaqueId);
                result.Destination = spReader.SingleLogOutServiceUrl;
                result.Issuer = new Issuer(idpReader.EntityId);
                result.IssueInstant = DateTime.UtcNow;
                result.NotOnOrAfter = DateTime.UtcNow.AddMinutes(10);
                result.Reason = "IDP Logout";
                result.SessionIndexes = new List<SessionIndex>();
                SessionIndex session = new SessionIndex(sessionIndex);
                result.SessionIndexes.Add(session);
            }
            catch (Exception ex)
            {
                …
            }

            return result;
        }

        private void SendSAMLRequest(LogoutRequest samlSLORequest, MetadataReader spReader, MetadataReader idpReader, string sessionIndex)
        {
            XmlElement samlRequestXml = samlSLORequest.ToXml();
            if (idpReader.SigningCert != null && idpReader.SigningCert.PrivateKey != null)
            {
                SAMLMessageSignature.Generate(samlRequestXml, idpReader.SigningCert.PrivateKey, idpReader.SigningCert);
                SingleLogoutService.SendLogoutRequestByHTTPPost(Response, spReader.SingleLogOutServiceUrl, samlRequestXml, null);
                 ...
            }
            else
            {
                …
            }
        }

Does anyone have ideas what is wrong with our SLO implementation? How can we use SAMLIdentityProvider.InitiateSLO?  Do we need to upgrade our library? 

thanks in advance!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
SAMLIdentityProvider.InitiateSLO is part of a new high-level API we introduced in 2013. It sounds like you are using an earlier version of the product.
Calling SingleLogoutService.SendLogoutRequestByHTTPPost should work. This is part of the original low-level API.
Please confirm that SingleLogoutService.SendLogoutRequestByHTTPPost is being called.
Where do you end up in the browser?
Also, please use something like Fiddler to capture the HTTP traffic to see what is being returned.
Do you see the HTTP Post being sent to the service provider?



Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Where do you end up in the browser? Are you at your site or the partner site?
Also, please use something like Fiddler to capture the HTTP traffic.
Do you see the HTTP Post being sent to the partner provider?



Regards
ComponentSpace Development
puffyqi
puffyqi
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 24
Hi,

I also use this method and enable the diagnostics logs. It seems that it post to the url but in the fiddler i cannot find the url. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Is there any other code in your method that could be overriding the HTTP response containing the logout request?

Using Fiddler or the browser developer tools (F12), what's the HTTP response being returned by your application? 

Regards
ComponentSpace Development
puffyqi
puffyqi
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 24
ComponentSpace - 10/29/2020
Is there any other code in your method that could be overriding the HTTP response containing the logout request?

Using Fiddler or the browser developer tools (F12), what's the HTTP response being returned by your application? 

After the logout request is done, i do a Response.redirect to another page.  How do I get back the logoutresponse from SendLogoutRequestViaHttpPost? Currently the sending of request did not throw any errors and page is redirected successfully. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The Response.Redirect replaces the 200 HTTP response we're attempting to return with your 302 redirect HTTP response. This explains why you don't see the SAML logout request being sent.

 SendLogoutRequestViaHttpPost will send a SAML logout request, via the browser, to the partner provider. Control is now at the partner provider website. After the user is logged out at the partner provider site they should send a SAML logout response to your logout service endpoint. You now have control back at your website and would call our API to receive and process the logout response. You can then redirect to the appropriate page as SAML logout has now completed.

Regards
ComponentSpace Development
puffyqi
puffyqi
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 24
ComponentSpace - 10/29/2020
The Response.Redirect replaces the 200 HTTP response we're attempting to return with your 302 redirect HTTP response. This explains why you don't see the SAML logout request being sent.

 SendLogoutRequestViaHttpPost will send a SAML logout request, via the browser, to the partner provider. Control is now at the partner provider website. After the user is logged out at the partner provider site they should send a SAML logout response to your logout service endpoint. You now have control back at your website and would call our API to receive and process the logout response. You can then redirect to the appropriate page as SAML logout has now completed.

What API should I call to receive and process the logout response? Do you have a sample code for it? I prefer using the low level api than high level api. I tried using it dotnet HttpWebRequest to get response, i am able to get 200 OK but there is no output in the body when I read the responsestream. Does it mean by the partner provider site have already received it and processed it?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I recommend you use the SAML high-level API as it's much easier to use.

However, if you wish to use the low-level API you should call either SingleLogoutService.ReceiveLogoutResponseByHTTPPost or SingleLogoutService.ReceiveLogoutResponseByHTTPRedirect, depending on whether the SAML logout response is sent over HTTP-Post or HTTP-Redirect.

The SAML2ServiceProvider project, which you'll find under the Examples folder, includes a SAML/SLOService.aspx page that demonstrates calling SingleLogoutService.SendLogoutResponseByHTTPRedirect and SingleLogoutService.ReceiveLogoutMessageByHTTPRedirect.

The ReceiveLogoutMessageByHTTPRedirect method supports receiving either a SAML logout request or response. You can call ReceiveLogoutResponseByHTTPRedirect if you know you're expecting a logout response rather than a logout request.

Regards
ComponentSpace Development
puffyqi
puffyqi
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 8, Visits: 24
ComponentSpace - 10/29/2020
I recommend you use the SAML high-level API as it's much easier to use.

However, if you wish to use the low-level API you should call either SingleLogoutService.ReceiveLogoutResponseByHTTPPost or SingleLogoutService.ReceiveLogoutResponseByHTTPRedirect, depending on whether the SAML logout response is sent over HTTP-Post or HTTP-Redirect.

The SAML2ServiceProvider project, which you'll find under the Examples folder, includes a SAML/SLOService.aspx page that demonstrates calling SingleLogoutService.SendLogoutResponseByHTTPRedirect and SingleLogoutService.ReceiveLogoutMessageByHTTPRedirect.

The ReceiveLogoutMessageByHTTPRedirect method supports receiving either a SAML logout request or response. You can call ReceiveLogoutResponseByHTTPRedirect if you know you're expecting a logout response rather than a logout request.

Hi, I call the SingleLogoutService.SendLogoutRequestByHTTPPost to the sample project SAML2ServiceProvider SLOService.aspx but the logs did not hit on the Page_Load

This is what I diagnosed on the send logout request
<html xmlns="http://www.w3.org/1999/xhtml"><body onload="document.forms.samlform.submit()"><noscript><p><strong>Note:</strong> Since your browser does not support Javascript, you must press the Continue button once to proceed.</p></noscript><form id="samlform" action="https://localhost:3443/samlSP/SAML/SLOService.aspx" method="post" target="_self"><div><input type="hidden" name="SAMLRequest" value="PHNhbWxwOkxvZ291dFJlcXVlc3QgSUQ9ImRlOTJkYjliLWE4NDAtNGVmOC05NDc5LTk4ZWE2MDE5NWYxNyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMTAtMzBUMTU6MjI6NTQuMVoiIERlc3RpbmF0aW9uPSJodHRwczovL2x1YXBzdWF0Lm55cC5lZHUuc2c6MzQ0My9zYW1sU1AvU0FNTC9TTE9TZXJ2aWNlLmFzcHgiIFJlYXNvbj0iU1AgTG9nb3V0IiBOb3RPbk9yQWZ0ZXI9IjIwMjAtMTAtMzBUMTU6MzI6NTQuMVoiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5eaHR0cHM6Ly9sdWFwc3VhdC5ueXAuZWR1LnNnLy4qPC9zYW1sOklzc3Vlcj48c2FtbDpOYW1lSUQgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+RFNDIEluc3RhbmNlPC9zYW1sOk5hbWVJRD48c2FtbHA6U2Vzc2lvbkluZGV4PlNULTEtZEV2WUVSVDRqdy1lbUhvZUFidTEwLWNhczwvc2FtbHA6U2Vzc2lvbkluZGV4Pjwvc2FtbHA6TG9nb3V0UmVxdWVzdD4="/></div><noscript><div><input type="submit" value="Continue"/></div></noscript></form></body></html>

What I expected is that it should hit the Page_Load at the /samlSP/SAML/SLOService.aspx but there is no logs being write out. I have change the web.config to point to my log directory.



GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search