How to configure the ResponseLocation of the SingleLogoutService with the ITfoxtec Identity SAML 2.0 library?

Question

Implement single logout in my .NET MVC application with the ITfoxtec Identity SAML 2.0 library.

To test, I do the following:

Having mine and another web app open in the same browser, in different tabs:

The first scenario is to log out of both, launching the logout from my application and it works very well.

However, the second scenario is to log out of both, but launch the logout from the other application and here I receive an error from the IdP: “A request for log out could not be completed. (Destination URL validation failed-0F0E112110A00BEA)”. If I refresh that screen, I see that I am logged out of that app, but not mine. After reviewing carefully, I see that, although I am loading the metadata of my IdP, it seems that there is no way to configure the ResponseLocation of the SingleLogoutService, it is as if it only takes the Location. Is there a way to do that configuration?

I had weeks with this problem. If you could help me to achieve this configuration I would be very grateful.

My application’s metadata:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://templatenetframeworkmvcsaml.azurewebsites.net/Auth/SingleLogout" ResponseLocation="https://templatenetframeworkmvcsaml.azurewebsites.net/Auth/LoggedOut"/>

The IdP’s metadata:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://amfsdevl.tec.mx/nidp/saml2/slo" ResponseLocation="https://amfsdevl.tec.mx/nidp/saml2/slo_return"/>

Rather the problem is that the IdP also has 2 endpoints and it seems that when reading the metadata it only takes the Location of the IdP, but not the ResponseLocation. Or just read that setting from the web.config where I have it set like this:

<add key="Saml2:SingleLogoutDestination" value="https://amfsdevl.tec.mx/nidp/saml2/slo" />

I can't find how to configure the ResponseLocation of the IdP and it is what we are missing to achieve the scenario where an application different from mine closes the session.

I share the tracer of what is happening in both scenarios:

Scenario 1. I sign out from my app. https://templatenetframeworkmvcsaml.azurewebsites.net. This scenario makes it perfect.

POST https://templatenetframeworkmvcsaml.azurewebsites.net/Auth/Logout HTTP/1.1
POST https://amfsdevl.tec.mx/nidp/saml2/slo HTTP/1.1
GET https://test-edutools.tec.mx/simplesaml/module.php/saml/sp/saml2-logout.php/tec-sp?SAMLRequest= HTTP/1.1
GET https://amfsdevl.tec.mx/nidp/saml2/slo_return?SAMLResponse= HTTP/1.1
POST https://templatenetframeworkmvcsaml.azurewebsites.net/Auth/LoggedOut HTTP/1.1
GET https://templatenetframeworkmvcsaml.azurewebsites.net/ HTTP/1.1
GET https://templatenetframeworkmvcsaml.azurewebsites.net/Auth/Login?ReturnUrl=%2f HTTP/1.1

In my app:

It shows me the login page. (Logged out of my app.)

In the other app:

Keeps the screen as it was, but if I change to any menu option, I see that the session was closed.

Scenario 2. I sign out from another app. https://test-edutools.tec.mx/saml_login. This scenario is failing.

GET https://test-edutools.tec.mx/es/user/logout HTTP/1.1
GET https://amfsdevl.tec.mx/nidp/saml2/slo?SAMLRequest= HTTP/1.1
POST https://templatenetframeworkmvcsaml.azurewebsites.net/Auth/SingleLogout HTTP/1.1
POST https://amfsdevl.tec.mx/nidp/saml2/slo HTTP/1.1

In my app:

Nothing happens. If I put the URL again, I see that the session continues.

In the other app:

Shows this message:

A request for log out could not be completed. (Destination URL validation failed-0F0E112110A00BEA)

If I put the URL again, I see that session is closed.

In this second scenario, instead of making a request here:

POST https://amfsdevl.tec.mx/nidp/saml2/slo HTTP/1.1

My application should make the request here:

POST https://amfsdevl.tec.mx/nidp/saml2/slo_return HTTP/1.1

It is what the other application does in scenario 1 and works correctly.

Answer 1

The ASP.NET core sample expose two different endpoints for single logout (Location and ResponseLocation). The ResponseLocation is for external initiated single logout.

Metadata: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/MetadataController.cs#L44

AuthController: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/AuthController.cs#L91

Your IdP needs to be configured with both the Location and ResponseLocation endpoint do external initiated single logout.

Alternative solution

The single logout Location endpoint is default and required. If the IdP do not support two single logout endpoints, you can extend the Location endpoint to support both cases, please see the SAML 2.0 implementation in FoxIDs.

var genericHttpRequest = Request.ToGenericHttpRequest();
if (new Saml2PostBinding().IsResponse(genericHttpRequest) || new Saml2RedirectBinding().IsResponse(genericHttpRequest))
{
    return await LoggedOutInternal();
}
else
{
    return await SingleLogoutInternal();
}

EDITED April 4

The error A request for log out could not be completed. (Destination URL validation failed-0F0E112110A00BEA) healthiest of indicate that the URL configured to call 'the other app' or the URL configured to call back to 'my app' is incorrect.