search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
961 stars 603 forks source link

Redirect back to SP after Single Logout #1459

Closed kevinmcody closed 3 months ago

kevinmcody commented 4 months ago

When using the Sustainsys Stub IDP (https://stubidp.sustainsys.com/), I set the SPOptions.EntityId field to the absolute URL of the SAML Authentication Scheme within my application (for example, https://localhost:5001/federation/StubSaml ). This causes the <Issuer> element in the login and logout request xml to be set to that URL.

When I initiate a Single Logout Request, I notice the Stub IDP generates a "SP Single Logout URL" of https://localhost:5001/federation/StubSaml/Logout . I'm nearly positive I did not actually specify that anywhere in my code; it seems the Stub IDP is inferring that from the <Issuer> element. This is actually exactly what I want, however. The Stub IDP redirects to my application after the logout is complete, and my application then tells the user they have been successfully logged out of both my app and the IDP.

My goal is to perform as similar workflow using a Microsoft Entra (Azure Active Directory) Application as the IDP. The key difference I've noticed with Microsoft is that they need me to set the SPOptions.EntityId field to spn: followed by ApplicationID of the app registration I created for my SP in Entra. This ApplicationID is an auto-generated GUID, and I cannot change it to a URL.

Everything in the Microsoft Entra workflow functions, except that after I successfully log out of Entra, I am NOT redirected back to my application.

So my question is: Is there a way to include an extra "this is the logout URL of my application" sort of hint in the SAML logout request? Or, is this simply a limitation of the SAML workflow using Microsoft Entra?

AndersAbel commented 4 months ago

I'm nearly positive I did not actually specify that anywhere in my code; it seems the Stub IDP is inferring that from the element.

Yes, you are correct. The Stub Idp creates it from the issuer according to how the Sustainsys.Saml2 library works. There is unfortunately no way include the requested response URL in the Logout Request so this is the best I could do.

The reason that Entra ID adds the spn: prefix is that Saml2 requires the entity Id of the application (i.e. Server Provider to use the Saml2 terminology) to be an absolute URI. If the value entered is not an absolute URI, Entra Id will prefix with spn: which is enough to make it follow the rules for an absolute URI. This can however cause further issues in validation code. I would strongly recommend configuring your application with an Entity Id that is an absolut URI to not have it modified by Entra Id.