Search code examples
c#samlitfoxtec-identity-saml2single-logout

Not HTTP POST Method in SingleLogOut Request

I took this sample test SP code from ItFoxTec and perform a SingleLogout from this controller:

[Route("SingleLogout")]
public async Task<IActionResult> SingleLogout()
{
    Saml2StatusCodes status;
    var requestBinding = new Saml2PostBinding();
    var logoutRequest = new Saml2LogoutRequest(config, User);
    try
    {
        requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
        status = Saml2StatusCodes.Success;
        await logoutRequest.DeleteSession(HttpContext);
    }
    catch (Exception exc)
    {
        // log exception
        Debug.WriteLine("SingleLogout error: " + exc);
        status = Saml2StatusCodes.RequestDenied;
    }

    var responsebinding = new Saml2PostBinding();
    responsebinding.RelayState = requestBinding.RelayState;
    var saml2LogoutResponse = new Saml2LogoutResponse(config)
    {
        InResponseToAsString = logoutRequest.IdAsString,
        Status = status
    };
    return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
}

As I hit this endpoint, I get this message from ITfoxtec.Identity.Saml2.InvalidSaml2BindingException

Not HTTP POST Method

It appears that IdP produces a GET Request, I don't know if there are some misconfiguration. Actually, it seems like this:

services.Configure<Saml2Configuration>(saml2Configuration =>
            {
                
                saml2Configuration.Issuer = saml2Configuration.Issuer;
                saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
                var entityDescriptor = new EntityDescriptor();
                var httpClientFactory = services.BuildServiceProvider().GetService<IHttpClientFactory>();
                entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(federationMetadata));
                if (entityDescriptor.IdPSsoDescriptor == null)
                    throw new InvalidOperationException("Error loading federation metadata.");
                saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
                saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
                

            });
Solution

  • It is possible to do logout with both Saml2PostBinding (POST) and Saml2RedirectBinding (GET) binding.

    To accept a get request you need to change Saml2PostBinding to Saml2RedirectBinding.