Single logout issue

[seemadas123]

I'm facing some issues with single logout action using kentor authservice.

I have implemented this way let me know if I'm missing any configurations to achieve single logout. From the application we kill all session and cookies and redirect to kentor API ~/AuthServices/Logout. So when I test logout it doesn't really send SAML logout request to IDP still user is active on IDP side.

When we set different certificate file in section single sign on is getting disturbed. But my understanding is this section is only for single logout. Please let me know if I'm missing anything.

[explunit]

You probably don't want to kill all the cookies before starting the logout flow, as you will need some of the original claims (e.g. session index) in order for the identity provider to accept your logout request. For example, see the conditions checked here: https://github.com/KentorIT/authservices/blob/v0.21.1/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L155-L170

You'll also notice in that code that the latest version has more logging available, so you can use that information to determine the cause of your issue.

[seemadas123]

Thanks for the quick help! I'm still facing issues in order to achieve logout functionality in my application. I do have following questions 1) Is it mandatory to use Kentor.AuthServices.Tests.pfx certificate file for logout? If yes how do we get private key in order to export this to our identity provider.

We created our own x509 certificate using openssl and set in serviceCertificates section. Which is affecting sign in functionality.

2)I also tried just redirecting to /authservices/logout when logout link is clicked. Still I do get user authenticate back without user being loggedout from the application.

Please let me know if I'm missing any important configuration for logout functionality.

[seemadas123]

We are using okta as identity provider that supports only httpPost for SingleLogout. When I use HttpPost binding single signon is not working. So is there a way to configure HttpPost only for logout request?

[AndersAbel]

Don't use the Kentor.AuthServices.Tests.pfx certificate in production. Create your own certificate.

There is an option SingleLogoutServiceBinding on the idp that you can use to set the logout binding without affecting sign on.

[seemadas123]

I have tried configuring SingleLogoutServiceBinding in web config but it didn't work.

Can you please guide me how the configuration should be set in web.config?

[AndersAbel]

@seemadas123 You need to be more specific than "it didn't work".