I have one IdP and two SP's (A and B) setup. SSO works great between them. Single Logout also works when I logout from site A (it logs user out from site B too) but issue occurs when I am trying to logout from site B. It logs user out from site B but when I navigate to site A I'm still logged in until I delete session cookies or sessions times out.
Site A uses ITfoxtec.Identity.Saml2 SAML2.0 MVC implementation.
If I manually delete cookies and refresh the page I'm redirected to login page.
It seems that it kills the session but session cookies persists in the browser and it lets user to browse until it expires, it cannot renew it.
SingleLogout endpoint is the same as in example (Source from ITfoxtec.Identity.Saml2 - TestWebApp)
Have you seen anything like it? I ran out of ideas what could be done in this case.
public ActionResult SingleLogout()
{
Saml2StatusCodes status;
var requestBinding = new Saml2PostBinding();
var logoutRequest = new Saml2LogoutRequest(config, ClaimsPrincipal.Current);
try
{
requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
status = Saml2StatusCodes.Success;
logoutRequest.DeleteSession();
}
catch (Exception exc)
{
// log exception
Debug.WriteLine("SingleLogout error: " + exc.ToString());
status = Saml2StatusCodes.RequestDenied;
}
var responsebinding = new Saml2PostBinding();
responsebinding.RelayState = requestBinding.RelayState;
var saml2LogoutResponse = new Saml2LogoutResponse(config)
{
InResponseToAsString = logoutRequest.IdAsString,
Status = status,
};
return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
}
It is probably your IdP restricting sending the cookie to site A but not to site B when the browser is redirected from the IdP to site A. If it is the case you can try to use POST instead of redirect. POST are probably not be restricted.
You can debug by tracing the HTTPS traffic in Fiddler or maybe in the browser.