IDP-initiated backchannel SLO : How to hook handler on incoming SLO calls

[IncoFB]

Hello,

I managed to set up an ASP.NET web application with sustainsys with SAML2 authentication. I imported the sustainsys nuget package and configured everything in app's web.config file. Everything works as expected, including front-channel SLO.

Now trying to find a way to perform backchannel SLO (either IDP or SP initiated) As incoming "server-to-server" SLO calls are not relayed by any web browser, we are supposed to register SAML sessions somewhere (like in application cache) for maintaining a list of "invalid sessions". Also, in my application I would like to remove third-party cookies and session variables for a clean logout. This means we have to write additional server-side code for this logic. But having no idea where to hook that logic in the sustainsys SAML client, and I found no sample code for this.

Could you help, please ?

Thanks in advance

[AndersAbel]

The library does not support back-channel single logout. As you've figured out, that would require server-side session storage instead of just cookies. To implement it would be a major effort.

[IncoFB]

Hello Anders, Thanks for tour answer. Finally I came to terms. My question was rather about how to hook code to existing notifications for reacting at server-side on SAML session finalizations. Googling helped me find out that the right place was in this event handler : Sustainsys.Saml2.Configuration.Options.FromConfiguration.Notifications.LogoutResponseCreated

I managed here to get the SAML session (from request param property), even on backchannel calls, such as to release ou session data attached to the saml session at login time...