IdP代理- SLO启动

Question

我试图构建一个基于组件空间SAML解决方案的IdP代理。

到目前为止，我能够以以下方式处理单个登录：

1. 添加一个SingleSignOnService方法，该方法接收来自SP的AUTHN请求，并向合作伙伴IdP (SP-initiated SSO)发起SSO。
2. 添加一个接收SSO结果的SSO并勾起IsInResponseTo标志。基于这个标志，我确定了我是在SP-initiated SSO中还是在IdP-initiated SSO流中，并相应地确定了流。

我试图使用以下示例流以相同的方式处理单个注销：

​

理论上，对于SP启动的注销，我需要实现以下目标: 1.接收单个注销请求2。检查它是否不是响应3。标识IdP 4。向步骤3 5识别的IdP发送Slo请求。响应SP启动的SLO指示成功注销。

public async Task<IActionResult> SingleLogoutService()
{
    // Receive the single logout request or response.
    // If a request is received then single logout is being initiated by a partner service provider.
    // If a response is received then this is in response to single logout having been initiated by the identity provider.
    var sloResult = await _samlIdentityProvider.ReceiveSloAsync();

    if (sloResult.IsResponse)
    {     
    }
    else
    {
      // Figure out IdP Partner Name 
      var idpPartnerName = _configuration["IdPPartnerName"];

      // Send logout request to idp partner
      await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);

      // Respond to the SP-initiated SLO request indicating successful logout.
      await _samlIdentityProvider.SendSloAsync();
    }

    return new EmptyResult();
  }

我可以在SP的末尾销毁会话，但是我不能删除IdP会话(我认为

await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);

需要触发IdP会话删除，这是附加代理进程中的第三个步骤)。

是我错过的“协议明智”？？

附件(InitiateSloAsync方法)：

public async Task InitiateSloAsync(string partnerName, string logoutReason, string relayState)
    {
      int num;
      if ((uint) num <= 5U)
        ;
      try
      {
        this.logger.LogDebug("Initiating SLO to the partner identity provider" + (string.IsNullOrEmpty(partnerName) ? "." : string.Format(" {0}.", (object) partnerName)), Array.Empty<object>());
        await this.LoadSamlStateAsync();
        this.LogSessionState();
        await this.GetLocalSpConfigurationAsync();
        if (this.SamlState.ServiceProviderSessionState.PendingResponseState != null)
          this.logger.LogDebug(string.Format("The pending SAML action {0} is being overridden.", (object) this.SamlState.ServiceProviderSessionState.PendingResponseState.Action), Array.Empty<object>());
        if (string.IsNullOrEmpty(partnerName) && this.SamlState.ServiceProviderSessionState.SsoSessions.Count == 1)
        {
          IEnumerator<SsoSessionState> enumerator = this.SamlState.ServiceProviderSessionState.SsoSessions.Values.GetEnumerator();
          enumerator.MoveNext();
          partnerName = enumerator.Current.PartnerName;
          enumerator = (IEnumerator<SsoSessionState>) null;
        }
        await this.GetPartnerIdpConfigurationAsync(partnerName);
        if (this.partnerIdentityProviderConfiguration.DisableOutboundLogout)
          throw new SamlProtocolException(string.Format("Logout to the partner identity provider {0} is disabled.", (object) partnerName));
        XmlElement xmlElement = await this.CreateLogoutRequestAsync(logoutReason);
        XmlElement logoutRequestElement = xmlElement;
        xmlElement = (XmlElement) null;
        await this.SendLogoutRequestAsync(logoutRequestElement, relayState);
        this.SamlState.ServiceProviderSessionState.SsoSessions.Remove(this.partnerIdentityProviderConfiguration.Name);
        SamlSubject.OnLogoutRequestSent(partnerName, logoutRequestElement, relayState);
        await this.SaveSamlStateAsync();
        this.LogSessionState();
        this.logger.LogDebug(string.Format("Initiation of SLO to the partner identity provider {0} has completed successfully.", (object) partnerName), Array.Empty<object>());
        logoutRequestElement = (XmlElement) null;
      }
      catch (Exception ex)
      {
        this.logger.LogError((EventId) 101, ex, string.Format("Initiation of SLO to the partner identity provider {0} has failed.", (object) partnerName), Array.Empty<object>());
        throw;
      }
    }

Answer 1

根据这里列出的ComponentSpace响应：https://www.componentspace.com/Forums/8806/?Update=1#bm8813，问题与不等待来自IdP的响应有关。

按照当前的实现，InitiateSloAsync只会向IdP发送一个SLO请求，而不会等待响应。

// Send logout request to idp partner
await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);

// Respond to the SP-initiated SLO request indicating successful logout.
await _samlIdentityProvider.SendSloAsync();

这一进程如下：

1. 接收SP的注销请求。
2. 识别IdP。
3. 向IdP发送注销请求。
4. 从IdP接收注销响应。
5. 向SP发送注销响应。

的重要性:当作为身份提供者与服务提供者时，有可能有不同的单一注销服务端点。。

当您充当IdP时：

public async Task<IActionResult> SingleLogoutService()
{
  // Receive the single logout request or response.
  // If a request is received then single logout is being initiated by a partner service provider.
  // If a response is received then this is in response to single logout having been initiated by the identity provider.
  var sloResult = await _samlIdentityProvider.ReceiveSloAsync();

  if (sloResult.IsResponse)
  {   
  }
  else
  {
    // Figure out IdP Partner Name 
    var idpPartnerName = _configuration["IdPPartnerName"];

    // Send logout request to idp partner
    await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);
  }

  return new EmptyResult();
}

当你扮演SP时：

public async Task<IActionResult> SingleLogoutService()
{
  // Receive the single logout request or response.
  // If a request is received then single logout is being initiated by the identity provider.
  // If a response is received then this is in response to single logout having been initiated by the service provider.
  var sloResult = await _samlServiceProvider.ReceiveSloAsync();

  if (sloResult.IsResponse)
  {
    // Respond to the SP-initiated SLO request indicating successful logout.
    await _samlIdentityProvider.SendSloAsync();  
  }
  else
  {
  }

  return new EmptyResult();
}

P.S:如果您最终创建了两个处理注销的不同端点，请不要忘记更新您的SingleLogoutServiceUrl属性。