SP-initiated Single logout in Owin

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET

Other

957 stars 602 forks source link

SP-initiated Single logout in Owin #627

Closed vidarkongsli closed 7 years ago

vidarkongsli commented 7 years ago

I am struggling a bit setting up SP-initiated single logout with Owin. My Idp exposes the logout endpoint like this:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.....local/id/saml2/SingleLogout"/>

I have set up authservices to load the metadata from the metadata uri, and I trigger logout from my controller like this:

var ctx = Request.GetOwinContext();
ctx.Authentication.SignOut();
return Redirect("/");

I set the breakpoint on the LogoutCommandResultCreated and find that it does not redirect the browser to the IdP as expected: What could be the cause of this?

explunit commented 7 years ago

Is it possible that the original claims (e.g. session index) needed for single logout were not retained? See the conditions that are checked here:

https://github.com/KentorIT/authservices/blob/v0.19.0/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L128-L133

vidarkongsli commented 7 years ago

You are right, the claims are not retained. But why could that be? Do I need to take care to store them?

vidarkongsli commented 7 years ago

The problem was that the IdP did not include an SessionIndex-attribute in the authentication statement.

AndersAbel commented 7 years ago

A note for anyone finding this and having similar issues: The SAML2 standard states that there must be a SessionIndex when doing single logout.

dmitreyg commented 6 years ago

The SAML2 standard states that there must be a SessionIndex when doing single logout

Could you provide the link? Per https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf it is optional, or am I reading it wrong?

3.7.1
2545: <SessionIndex> [Optional]
The identifier that indexes this session at the message recipient.

AndersAbel commented 6 years ago

Yes, the SessionIndex is optional in the protocol messages defined in core. But in the profile spec (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf), where usage of the protocol messages in various cases are detailed it is stated as required in section 4.1.4.2 (Web Browser SSO Profile/Use of Authentication Request Protocol/ Usage).

If the identity provider supports the Single Logout profile, defined in Section 4.4, any authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider.

Note that this sentence is not included in the original version of the specification. For all development of this library, I've been using the latest errata versions, as instructed on https://wiki.oasis-open.org/security/FrontPage#SAMLV2.0Standard

dmitreyg commented 6 years ago

Thank you. It makes sense that SP initiated logout request must include session index, otherwise how IDP can find the required session to end.