The Rock Solid Knowledge SAML IdP component supports two SAML Single Logout (SLO) flows:
- SP-initiated SLO where the SP can initiate single logout for the current session in the upstream SAML IdP
- IdP-initiated SLO where logout from the IdP initiates single logout for all parties in the current session
To perform a SP initiated SLO that terminates the session in all ServiceProviders you can combine the two flows.
This page covers the SLO implementation details. For more high-level information about SAML SLO, check out our article, The Challenge of Building SAML Single Logout.
SP-initiated SLO is fairly self-explanatory and is similar to the approach that we see with OpenID Connect. However, instead of the IdP simply returning the user to a pre-agreed endpoint, a SAML IdP returns a logout response.
The logout response will be signed using OpenIddict's signing key and can be sent using either the Redirect or POST bindings.
The Service Provider SLO endpoint to return the response to uses the following order of precedence:
- The endpoint marked as default
- The first endpoint with a Redirect binding
- Any other endpoint
Handling SP-Initiated SLO
To start SP-Initiated SLO, a valid SAML logout request must be sent to OpenIddict. This request must contain the correct Name ID (OpenIddict subject) for the currently logged in user.
SP-Initiated SLO is then facilitated by the GetLogoutCompletionUrl
method on the SAML interaction service, ISamlInteractionService
. This method will take the current SAML request ID and, if necessary, return a URL that can be used as a post-logout redirect URL.
The request ID (requestId
) is provided by the SAML component as a query string parameter and must be remembered in the logout model.
Note that the logoutId
parameter name is determined by the OpenIddict configuration option UserInteraction.LogoutIdParameter
, and the requestId
parameter name is determined by the SAML configuration option UserInteraction.RequestIdParameter
.
If you have changed the default values of these options, you will need to update the method parameters to capture the values from the web request correctly.
OpenIddict will initiate OpenID Connect or WS-Federation logout requests if a Client record contains values for FrontChannelLogoutUri
or BackChannelLogoutUri
. To prevent unnecessary requests made to SAML Service Providers, ensure that the Service Provider’s client record does not contain values for these properties.