I am looking into using ITfoxtec.Identity.Saml2 for integration with NemLog-in. Is there a sample that implements the logging required by NemLog-in and supports back-channel single logout (IDP calling the SP directly to logout a user) which as far as I understand is required by NemLog-in?
I have been looking at the code for the NemLog-in3 sample.
My understanding is that the sample does not implement the required logging and does not support back-channel single logout. I think the /Auth/SingleLogout endpoint is only for front-channel single logout.
OIOSAML3 and therby NemLog-in do not support back-channel logout.
It is partly possible to use SOAP binding, which is supported by ITfoxtec.Identity.Saml2. You can find some sample code in the Artifact sample.
Please se OIOSAML3 chapter 4.2.
Requests
The HTTP-Redirect binding [SAML2Bind] MUST be used for the transmission
of (the initial) samlp:LogoutRequest messages to the IdP.
SPs MUST support the HTTP-Redirect or HTTP-POST [SAML2Bind] binding
for the receipt of samlp:LogoutRequest messages from the IdP, and
MAY support SOAP binding.
Responses
The HTTP-Redirect, HTTP-POST or SOAP binding [SAML2Bind] MUST be
used for the transmission of samlp:LogoutResponse messages to the
IdP.
SPs MUST support the HTTP-Redirect or HTTP-POST binding
[SAML2Bind] binding for the receipt of samlp:LogoutResponse messages from the IdP (to the initial request).