Closed vidarkongsli closed 7 years ago
Is it possible that the original claims (e.g. session index) needed for single logout were not retained? See the conditions that are checked here:
You are right, the claims are not retained. But why could that be? Do I need to take care to store them?
The problem was that the IdP did not include an SessionIndex
-attribute in the authentication statement.
A note for anyone finding this and having similar issues: The SAML2 standard states that there must be a SessionIndex
when doing single logout.
The SAML2 standard states that there must be a SessionIndex when doing single logout
Could you provide the link? Per https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf it is optional, or am I reading it wrong?
3.7.1
2545: <SessionIndex> [Optional]
The identifier that indexes this session at the message recipient.
Yes, the SessionIndex
is optional in the protocol messages defined in core. But in the profile spec (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf), where usage of the protocol messages in various cases are detailed it is stated as required in section 4.1.4.2 (Web Browser SSO Profile/Use of Authentication Request Protocol/
If the identity provider supports the Single Logout profile, defined in Section 4.4, any authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider.
Note that this sentence is not included in the original version of the specification. For all development of this library, I've been using the latest errata versions, as instructed on https://wiki.oasis-open.org/security/FrontPage#SAMLV2.0Standard
Thank you. It makes sense that SP initiated logout request must include session index, otherwise how IDP can find the required session to end.
I am struggling a bit setting up SP-initiated single logout with Owin. My Idp exposes the logout endpoint like this:
I have set up authservices to load the metadata from the metadata uri, and I trigger logout from my controller like this:
I set the breakpoint on the
LogoutCommandResultCreated
and find that it does not redirect the browser to the IdP as expected: What could be the cause of this?