Single Logout | SAML2P Documentation

SP Single Logout (SLO)

The Rock Solid Knowledge SAML IdP component supports two flavors of SAML Single Logout Protocol:

SP-initiated SLO where the SP can initiate single logout for all parties in the current session (other SPs)
IdP-initiated SLO where logout from the IdP initiates single logout for all parties in the current session

SP-initiated SLO is fairly self-explanatory and is similar to the approach that we see with OpenID Connect. However, instead of the IdP simply returning the user to a pre-agreed endpoint, a SAML IdP returns a logout response that looks something like the following:

<saml2p:LogoutResponse 
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_c058b37f05484e8584bbd88c73112d59"
  Version="2.0"
  IssueInstant="2019-05-08T13:34:43Z"
  Destination="http://localhost:5001/signout-saml"
  InResponseTo="_22519c5b56b34e57a483427604566171">
   <saml2:Issuer>http://localhost:5000</saml2:Issuer>
   <saml2p:Status>
      <saml2p:StatusCode
  Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </saml2p:Status>
</saml2p:LogoutResponse>

This response will be signed using IdentityServer4's signing key, and can be sent using either the Redirect or POST bindings.

The Service Provider SLO endpoint to return the response to uses the following order of precedence:

The endpoint marked as default
The first endpoint with a Redirect binding
Any other endpoint

Triggering SP-Initiated SLO

To start SP-Initiated SLO, a valid SAML logout request must be sent to IdentityServer. This request must contain the correct Name ID (IdentityServer subject) for the currently logged in user.

SP-Initiated SLO is then facilitated by the GetLogoutCompletionUrl method on the SAML interaction service, ISamlInteractionService. This method will take the current SAML request ID and, if necessary, return a URL that can be used as a post-logout redirect URL.

See below for a modified Logout method from the IdentityServer4 QuickStart UI (post-confirmation page):

public async Task<IActionResult> Logout(LogoutInputModel model)
{
    // build a model so the logged out page knows what to display
    var vm = await _account.BuildLoggedOutViewModelAsync(model.LogoutId);

    var user = HttpContext.User;
    if (user?.Identity.IsAuthenticated == true)
    {
        // delete local authentication cookie
        await HttpContext.SignOutAsync();

        // raise the logout event
        await _events.RaiseAsync(new UserLogoutSuccessEvent(user.GetSubjectId(), user.GetDisplayName()));

        if (requestId != null)
        {
            var returnUrl = await samlInteractionService.GetLogoutCompletionUrl(requestId);

            vm.AutomaticRedirectAfterSignOut = true;
            vm.PostLogoutRedirectUri = returnUrl; // SAML logout completion endpoint
        }
    }

    return View("LoggedOut", vm);
}

The parameter for the SAML request ID can be set in the UserInteraction settings on your SamlIdpOptions.

IdentityServer will initiate OpenID Connect or WS-Federation logout requests if a Client record contains values for FrontChannelLogoutUri or BackChannelLogoutUri. To prevent unnecessary requests made to SAML Service Providers, ensure that the Service Provider’s client record does not contain values for these properties.

Previous Next