search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
961 stars 604 forks source link

How to Diagnose Federated Logout Issues with HttpModule #1192

Closed RoLYroLLs closed 2 years ago

RoLYroLLs commented 4 years ago

Hello, I've been using the docs and looking up answers and asking questions on stack overflow to get this implemented on my site. One of the last things I'm trying to work out is triggering a logout on my IDP.

I have and ASP.Net Web Forms app using the HttpModule and added NLog as the ILoggerAdapter. I'm also using SDFS as my IDP.

Currently, I'm getting empty values for the requirements for federated logout.

2020-05-11 13:46:58.3054|DEBUG|Saml2|Initiating logout, checking requirements for federated logout Issuer of LogoutNameIdentifier claim (should be Idp entity id): Issuer is a known Idp: False Session index claim (should have a value): Idp has SingleLogoutServiceUrl: There is a signingCertificate in SPOptions: True Idp configured to DisableOutboundLogoutRequests (should be false):

I'm looking through the source to see where the values come from and how those values get added so I can trace where the problem is.

My web.config is as follows:

<sustainsys.saml2 entityId="http://mysite/federation/saml2" publicOrigin="http://mysite" modulePath="/federation/Saml2" returnUrl="http://mysite" authenticateRequestSigningBehavior="Always">
  <metadata cacheDuration="PT42S" validDuration="7.12:00:00" wantAssertionsSigned="true">
  </metadata>
  <identityProviders>
    <add entityId="https://myadfs/adfs/services/trust" metadataLocation="https://myadfs/federationmetadata/2007-06/federationmetadata.xml" signOnUrl="https://myadfs/adfs/ls/" logoutUrl="https://myadfs/adfs/ls/?wa=wsignout1.0" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
      <signingCertificate fileName="~/App_Data/Adfs.cer" />
    </add>
  </identityProviders>
  <serviceCertificates>
    <add fileName="~/App_Data/Saml2.pfx" />
  </serviceCertificates>
</sustainsys.saml2>

I'm hoping I can get some better guidance on what to check for to diagnose the problem. I am able to download the metadata and I'm wondering if the metadata is not being read properly or what.

Thanks in advance!

AndersAbel commented 4 years ago

Looks like the claim containing the state information needed for logout is completely missing (ClaimType http://Sustainsys.se/Saml2/LogoutNameIdentifier) Are you doing custom claims transformation that removes that claim?

RoLYroLLs commented 4 years ago

@AndersAbel we do have custom transformation claims, but not aware of any "removal" of logout claims. How can I check as I'm not that familiar with ADFS?

Thank you.