Sustainsys.Saml2.AspNetCore2 v 2.9.1
I started from the DuendeDynamicProviders sample found here:
https://github.com/Sustainsys/Saml2.Sample
I am trying to get single signout working. After calling the Signout method in the Logout page, like so:
return SignOut(new AuthenticationProperties { RedirectUri = url }, idp);
I see the following in the log:
[16:32:39 Information] Sustainsys.Saml2.AspNetCore2.Saml2Handler
Federated logout not possible, redirecting to post-logout
I did some googling, and most solutions involved making sure the following claims were carried over from the external user to the local:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- http://Sustainsys.se/Saml2/LogoutNameIdentifier
- http://Sustainsys.se/Saml2/SessionIndex
I accomplished this by modifying the CaptureExternalLoginContext method in the ExterlanLogin/Callback page, like so:
var nameIdentifierClaim = externalResult.Principal.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
if (nameIdentifierClaim != null)
{
localClaims.Add(new Claim(ClaimTypes.NameIdentifier, nameIdentifierClaim.Value));
}
var logoutNameIdentifierClaim = externalResult.Principal.Claims.FirstOrDefault(x => x.Type == "http://Sustainsys.se/Saml2/LogoutNameIdentifier");
if (logoutNameIdentifierClaim != null)
{
localClaims.Add(new Claim("http://Sustainsys.se/Saml2/LogoutNameIdentifier", logoutNameIdentifierClaim.Value));
}
var sessionIndexClaim = externalResult.Principal.Claims.FirstOrDefault(x => x.Type == "http://Sustainsys.se/Saml2/SessionIndex");
if (sessionIndexClaim != null)
{
localClaims.Add(new Claim("http://Sustainsys.se/Saml2/SessionIndex", sessionIndexClaim.Value));
}
I also saw some people claiming you had to explicitly set certain fields on the Sustainsys.Saml2.IdentityProvider, so I modified DynamicProviderUtils.Saml2ConfigureOptions.cs line 47 like so:
if(options.IdentityProviders.IsEmpty)
{
var newIdp =
new Sustainsys.Saml2.IdentityProvider(
new EntityId(idp.IdpEntityId), options.SPOptions)
{
LoadMetadata = true,
Binding = Saml2BindingType.HttpPost,
SingleSignOnServiceUrl = new Uri("https://stubidp.sustainsys.com/"),
SingleLogoutServiceBinding = Saml2BindingType.HttpRedirect,
SingleLogoutServiceUrl = new Uri("https://stubidp.sustainsys.com/Logout"),
AllowUnsolicitedAuthnResponse = true,
DisableOutboundLogoutRequests = false,
};
newIdp.SigningKeys.AddConfiguredKey(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
options.IdentityProviders.Add(newIdp);
}
I’m very new to identity management in general. Any ideas what to try next? Specifically, is there any way to coax the Sustainsys.Saml2 library into telling me WHY federated logout is not possible?