I'm struggling with getting a robust logout process in place for my SP
application when a user logs in using SAML SSO.
Our Service Provider application has a "logout" button. Before we introduced SAML SSO as an optional login mechanism for some of our clients, when the user clicks Logout, we simply performed these steps:
For SAML SLO, the process is as follows:
- check that CanSLO() returns true,
- if it does then call InitiateSLO() which populates the response object
- allow the page to end and the user's browser in order to redirect to the IdP and log out.
So here's my problem:
I can't run my ASP.NET sign out code first, followed by calls to CanSLO()/InitiateSLO()
as the session object will have been disposed and CanSLO()
then returns false and InitiateSLO()
does not work.I can't run the CanSLO()/InitiateSLO() code first, as this ends up redirecting to the IdP and the IdP displays a "Your are now logged out" page with no return to our application and therefore, no mechanism to sign out of ASP.NET Forms.
Either way, one of the two sessions still exist and the user can effectively log back in without entering any credentials.
Can you advise on what I am doing wrong and how do I get this use case to work?