Single Logout | SAML2P Documentation

The Rock Solid Knowledge SAML Service Provider component supports two flavors of SAML Single Logout (SLO) Protocol:

SP-initiated SLO where the SP can initiate single logout for all parties in the current session (other SPs).
IdP-initiated SLO where the IdP sends a logout request to all the service providers in the current session

This page covers the SLO implementation details. For a more high-level overview of SAML SLO, check out our article, The Challenge of Building SAML Single Logout.

SLO Configuration Options

You must set the following configuration options (Saml2pAuthenticationOptions) to support SLO in your Service Provider.

IdentityProviderOptions.SingleLogoutEndpoint: This is the IdP SLO endpoint where the SAML Logout requests and responses will be sent to
SignedOutCallbackPath: This is your SLO endpoint, where the IdP will send logout requests and responses to
SignOutScheme: The authentication scheme to use for SignOut. This should be the main cookie that you sign the user into. The user's unique identifier (NameID) is required for the SAML SLO protocol, which will be extracted from this cookie

Optional configuration includes:

NameIdClaimType: This is the claim type of the logged-in user's NameID. This claim type is searched for in the SignOutScheme when generating logout requests and included in the request. It is also used for validating incoming logout requests. Defaults to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
RequireAuthenticatedUserForLogoutRequests: Indicates if an authenticated user is required for logout requests. When true, incoming logout request validation will fail if a user is not currently signed in. Defaults to false

Check out the SP configuration options for more details.

.AddSaml2p("saml2p", options =>
{
    // Other configuration code removed for brevity

    /* Required */
    options.IdentityProviderOptions = new IdpOptions
    {
        SingleLogoutEndpoint = new SamlEndpoint("https://idp-slo", SamlBindingTypes.HttpRedirect)
    };

    options.SignedOutCallbackPath = "/saml-signout";
    options.SignOutScheme = "idsrv";

    /* Optional */
    options.NameIdClaimType = "sub";
    options.RequireAuthenticatedUserForLogoutRequests = false;
});

Triggering SP-Initiated SLO

To trigger logout, you simply need to call ASP.NET Core signout functionality on the authentication scheme.

public IActionResult Logout()
{
    return SignOut(new AuthenticationProperties {RedirectUri = "/"}, "idsrv", "saml2p");
}

Here, the "idsrv" is the local authentication scheme that the user is signed into and "saml2p" is the external SAML authentication scheme.

When SignOut is called, ASP.NET Core will clear the local cookie and initiate the external SAML logout. The SAML authentication middleware will send a SAML logout request to the partner IdP. Once signout is completed, the user will be redirected to the path specified as the RedirectUri.

Example SAML logout request

<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"  
   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
   ID="_9088cb8766164b149e63358b92ece1c3" 
   Version="2.0" 
   IssueInstant="2020-05-11T20:24:11Z" 
   Destination="https://idp.identityserver.com/saml/slo" 
   NotOnOrAfter="2020-05-11T20:26:11Z" 
   Reason="urn:oasis:names:tc:SAML:2.0:logout:user"> 
  <saml2:Issuer>https://sp.identityserver.com/saml</saml2:Issuer> 
  <saml2:NameID>d65a1ecb97404a988c0b9c18cc915e3b</saml2:NameID> 
</saml2p:LogoutRequest>

The SAML logout request needs to contain the NameID of the user that is requesting logout. We get the current user from the cookie you specify as the SignoutScheme in your startup configuration. This means that the user must be signed in when SAML logout is initiated.

The ASP.NET Core SignOut method can take multiple schemes to process sequentially. ASP.NET Core will generate the logout requests for all the provided schemes before executing them. Using this approach avoids any execution order issues between local and external signouts.

Handling IdP-Initiated SLO

In this scenario, the IdP sends you a SAML logout request. Our SAML Service Provider component can handle incoming SAML logout requests out-of-the-box.

When we receive a valid SAML logout request, we end the user session by deleting the cookie specified as the SignoutScheme, and return a SAML logout response to the identity provider.

The incoming logout request contains the NameID format of the user requesting logout at IdP. This NameID needs to be validated against the currently signed-in user in your application. If no user is currently authenticated in your application, the request validation will fail unless the RequireAuthenticatedUserForLogoutRequests configuration option is set to false.

Example SAML logout response

<saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"  
   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
   ID="_145745962cdb411d91d80967fb082643" 
   Version="2.0" 
   IssueInstant="2020-05-11T20:26:36Z" 
   Destination="https://sp.identityserver.com/signout-saml" 
   InResponseTo="_9088cb8766164b149e63358b92ece1c3"> 
  <saml2:Issuer>https://idp.identityserver.com</saml2:Issuer> 
  <saml2p:Status> 
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> 
  </saml2p:Status> 
</saml2p:LogoutResponse>

Previous Next