ComponentSpace

Forums



SAMLServiceProvider.SendSLO question


SAMLServiceProvider.SendSLO question

Author
Message
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
SP Initiated SLO
Highlevel API example, webforms

I noticed the code example has 4 variables, 2x null 
 SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);

While the delopers guide only implies 3 variables
The InitiateSLO method sends a logout request to the identity provider as part of SPinitiatedSLO.For example:
SAMLServiceProvider.InitiateSLO( Response, null,null);
The Response is used to send the logout request to the service provider via the browser.
The second parameter is the logout reason or null if none.
The third parameter is the partner identity provider’s name or null if there’s only oneconfigured partner identity provider.

===

My question is what is contained in the response?

I have a project, SP Init SSO.  
When the user logins into IDP, a authNresponse is sent back.
The catch is that I use the email attribute that is sent back instead of the nameid to authenticate against my web app.
My FormsAuthentication cookie is the username that is previously set to the email.

I'm wondering if when i send a response back if the SLO resposnse if that contains a session ID or if it's sending the username / nameid back to the IDP to logoff?

Let me know if that question makes sense - 

Thx again,






ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for pointing this out. I'll see that the Developer Guide is updated.
The SAMLServiceProvider class includes the following InitiateSLO overloads.

public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState)
public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState, string partnerIdP)


The relayState parameter was added.
This allows relay state to be included with the logout request.
As per the SAML specification, the logout request will include the Name ID and session index.
This should be sufficient for the IdP to identify and logout the user.

Regards
ComponentSpace Development
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
ComponentSpace - 7/13/2018
Thanks for pointing this out. I'll see that the Developer Guide is updated.
The SAMLServiceProvider class includes the following InitiateSLO overloads.

public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState)
public static void InitiateSLO(HttpResponse httpResponse, string logoutReason, string relayState, string partnerIdP)


The relayState parameter was added.
This allows relay state to be included with the logout request.
As per the SAML specification, the logout request will include the Name ID and session index.
This should be sufficient for the IdP to identify and logout the user.

Just to clarify does it work like this:
Receive AuthNResponse
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);

Does the "username" correspond to the NameID

Then authentication is marked successful
FormsAuthentication.SetAuthCookie(userName, false);

What happens if after this is done, I replace username with a different attribute (such as email).
Then recall: FormsAuthentication.SetAuthCookie(userName, false);

Then then the user signs out.

Does
SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);

Send the NameId from the session still or is it pulling from the cookie username variable?


Thx again!

josh






ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We store the NameID in the internal SAML session state. This is what's included in the logout request.
We don't use the FormsAuthentication.SetAuthCookie value etc. 

Regards
ComponentSpace Development
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
ComponentSpace - 7/17/2018
We store the NameID in the internal SAML session state. This is what's included in the logout request.
We don't use the FormsAuthentication.SetAuthCookie value etc. 

Perfect - thanks very much
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search