The Rock Solid Knowledge SAML Service Provider component supports two flavors of SAML Single Logout (SLO) Protocol:
- SP-initiated SLO where the SP can initiate single logout for all parties in the current session (other SPs).
- IdP-initiated SLO where the IdP sends a logout request to all the service providers in the current session
This page covers the SLO implementation details. For a more high-level overview of SAML SLO, check out our article, The Challenge of Building SAML Single Logout.
SLO Configuration Options
You must set the following configuration options (Saml2pAuthenticationOptions) to support SLO in your Service Provider.
IdentityProviderOptions.SingleLogoutEndpoint
: This is the IdP SLO endpoint where the SAML Logout requests and responses will be sent toSignedOutCallbackPath
: This is your SLO endpoint, where the IdP will send logout requests and responses toSignOutScheme
: The authentication scheme to use for SignOut. This should be the main cookie that you sign the user into. The user's unique identifier (NameID) is required for the SAML SLO protocol, which will be extracted from this cookie
Optional configuration includes:
NameIdClaimType
: This is the claim type of the logged-in user's NameID. This claim type is searched for in theSignOutScheme
when generating logout requests and included in the request. It is also used for validating incoming logout requests. Defaults tohttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
RequireAuthenticatedUserForLogoutRequests
: Indicates if an authenticated user is required for logout requests. Whentrue
, incoming logout request validation will fail if a user is not currently signed in. Defaults tofalse
Check out the SP configuration options for more details.
.AddSaml2p("saml2p", options =>
{
// Other configuration code removed for brevity
/* Required */
options.IdentityProviderOptions = new IdpOptions
{
SingleLogoutEndpoint = new SamlEndpoint("https://idp-slo", SamlBindingTypes.HttpRedirect)
};
options.SignedOutCallbackPath = "/saml-signout";
options.SignOutScheme = "idsrv";
/* Optional */
options.NameIdClaimType = "sub";
options.RequireAuthenticatedUserForLogoutRequests = false;
});
Triggering SP-Initiated SLO
To trigger logout, you simply need to call ASP.NET Core signout functionality on the authentication scheme.
public IActionResult Logout()
{
return SignOut(new AuthenticationProperties {RedirectUri = "/"}, "idsrv", "saml2p");
}
Here, the "idsrv" is the local authentication scheme that the user is signed into and "saml2p" is the external SAML authentication scheme.
When SignOut
is called, ASP.NET Core will clear the local cookie and initiate the external SAML logout.
The SAML authentication middleware will send a SAML logout request to the partner IdP.
Once signout is completed, the user will be redirected to the path specified as the RedirectUri
.
Example SAML logout request
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_9088cb8766164b149e63358b92ece1c3"
Version="2.0"
IssueInstant="2020-05-11T20:24:11Z"
Destination="https://idp.identityserver.com/saml/slo"
NotOnOrAfter="2020-05-11T20:26:11Z"
Reason="urn:oasis:names:tc:SAML:2.0:logout:user">
<saml2:Issuer>https://sp.identityserver.com/saml</saml2:Issuer>
<saml2:NameID>d65a1ecb97404a988c0b9c18cc915e3b</saml2:NameID>
</saml2p:LogoutRequest>
The SAML logout request needs to contain the NameID of the user that is requesting logout.
We get the current user from the cookie you specify as the SignoutScheme
in your startup configuration.
This means that the user must be signed in when SAML logout is initiated.
The ASP.NET Core SignOut method can take multiple schemes to process sequentially. ASP.NET Core will generate the logout requests for all the provided schemes before executing them. Using this approach avoids any execution order issues between local and external signouts.
Handling IdP-Initiated SLO
In this scenario, the IdP sends you a SAML logout request. Our SAML Service Provider component can handle incoming SAML logout requests out-of-the-box.
When we receive a valid SAML logout request, we end the user session by deleting the cookie specified as the SignoutScheme
, and return a SAML logout response to the identity provider.
The incoming logout request contains the NameID format of the user requesting logout at IdP. This NameID needs to be validated against the currently signed-in user in your application.
If no user is currently authenticated in your application, the request validation will fail unless the RequireAuthenticatedUserForLogoutRequests
configuration option is set to false
.
Example SAML logout response
<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_145745962cdb411d91d80967fb082643"
Version="2.0"
IssueInstant="2020-05-11T20:26:36Z"
Destination="https://sp.identityserver.com/signout-saml"
InResponseTo="_9088cb8766164b149e63358b92ece1c3">
<saml2:Issuer>https://idp.identityserver.com</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
</saml2p:LogoutResponse>