我正在尝试构建基于组件空间 SAML 解决方案的 IdP-Proxy。
到目前为止,我能够通过以下方式处理单点登录:
- 添加一个从
SingleSignOnService接收AUTHN请求并向合作伙伴( )SP发起请求的方法。SSOIdPSP-initiated SSO - 添加一个
AssertionConsumerService正在接收SSO结果并检查IsInResponseTo标志的。根据这个标志,我确定了我是在流动中SP-initiated SSO还是在IdP-initiated SSO流动中,并相应地完成了流动。
我正在尝试使用以下示例流程以相同的方式处理单次注销:
理论上,对于 SP 发起的注销,我需要实现以下目标: 1. 接收单个注销请求 2. 检查它是否不是响应 3. 识别 IdP 4. 向步骤 3 识别的 IdP 发送 Slo 请求 5 . 响应 SP 发起的 SLO 指示成功注销。
public async Task<IActionResult> SingleLogoutService()
{
// Receive the single logout request or response.
// If a request is received then single logout is being initiated by a partner service provider.
// If a response is received then this is in response to single logout having been initiated by the identity provider.
var sloResult = await _samlIdentityProvider.ReceiveSloAsync();
if (sloResult.IsResponse)
{
}
else
{
// Figure out IdP Partner Name
var idpPartnerName = _configuration["IdPPartnerName"];
// Send logout request to idp partner
await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);
// Respond to the SP-initiated SLO request indicating successful logout.
await _samlIdentityProvider.SendSloAsync();
}
return new EmptyResult();
}
我可以在 SP 结束时销毁会话,但我无法删除 IdP 会话(我在想
await _samlServiceProvider.InitiateSloAsync(idpPartnerName, sloResult.LogoutReason, sloResult.RelayState);
需要触发 IdP 会话删除,这是附加代理过程中的第三步)。
我缺少“协议方面”的东西吗?
附件(InitiateSloAsync方法):
public async Task InitiateSloAsync(string partnerName, string logoutReason, string relayState)
{
int num;
if ((uint) num <= 5U)
;
try
{
this.logger.LogDebug("Initiating SLO to the partner identity provider" + (string.IsNullOrEmpty(partnerName) ? "." : string.Format(" {0}.", (object) partnerName)), Array.Empty<object>());
await this.LoadSamlStateAsync();
this.LogSessionState();
await this.GetLocalSpConfigurationAsync();
if (this.SamlState.ServiceProviderSessionState.PendingResponseState != null)
this.logger.LogDebug(string.Format("The pending SAML action {0} is being overridden.", (object) this.SamlState.ServiceProviderSessionState.PendingResponseState.Action), Array.Empty<object>());
if (string.IsNullOrEmpty(partnerName) && this.SamlState.ServiceProviderSessionState.SsoSessions.Count == 1)
{
IEnumerator<SsoSessionState> enumerator = this.SamlState.ServiceProviderSessionState.SsoSessions.Values.GetEnumerator();
enumerator.MoveNext();
partnerName = enumerator.Current.PartnerName;
enumerator = (IEnumerator<SsoSessionState>) null;
}
await this.GetPartnerIdpConfigurationAsync(partnerName);
if (this.partnerIdentityProviderConfiguration.DisableOutboundLogout)
throw new SamlProtocolException(string.Format("Logout to the partner identity provider {0} is disabled.", (object) partnerName));
XmlElement xmlElement = await this.CreateLogoutRequestAsync(logoutReason);
XmlElement logoutRequestElement = xmlElement;
xmlElement = (XmlElement) null;
await this.SendLogoutRequestAsync(logoutRequestElement, relayState);
this.SamlState.ServiceProviderSessionState.SsoSessions.Remove(this.partnerIdentityProviderConfiguration.Name);
SamlSubject.OnLogoutRequestSent(partnerName, logoutRequestElement, relayState);
await this.SaveSamlStateAsync();
this.LogSessionState();
this.logger.LogDebug(string.Format("Initiation of SLO to the partner identity provider {0} has completed successfully.", (object) partnerName), Array.Empty<object>());
logoutRequestElement = (XmlElement) null;
}
catch (Exception ex)
{
this.logger.LogError((EventId) 101, ex, string.Format("Initiation of SLO to the partner identity provider {0} has failed.", (object) partnerName), Array.Empty<object>());
throw;
}
}