0

我们正在使用 SAML 2.0 在 Salesforce IDP 和 .net core 3.1 应用程序 (SP) 之间实施 SSO/SLO 流。SP/IdP 发起的 SSO 流运行良好,SP 发起的 SLO 流也是如此。问题:对于 IDP 发起的流程 - SP 正在从 IdP 接收包含用户 ID 和 sessionId 的 SAML 请求,但是,我不确定如何实现以下操作。任何帮助/线索将不胜感激。

  1. 从 IdP 收到用户 id(即 UserX)和会话 id 后,如何识别会话并删除 cookie 以注销 UserX
  2. 如果userX在浏览器上打开了多个标签,注销后如何为他刷新所有标签

以下是来自 IDP 的 SAML 注销请求:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" NotOnOrAfter="2021-05-06T01:31:43Z" Destination="https://salesforce-dev.com/services/auth/idp/saml2/logout" IssueInstant="2021-05-06T01:28:43Z" Version="2.0" ID="_a4f91ebe-dd86-4f07-9610-2b0baac866ec">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://localhost:443</saml:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userX@irahada.com</saml:NameID>
<samlp:SessionIndex>00D5O0000008epg0Ak5O00000SRM5e</samlp:SessionIndex>
</samlp:LogoutRequest>

浏览器:为每个用户登录创建 .AspNetCore.Cookies

.Net 应用程序代码:

public async Task<IActionResult> InitiateSingleLogout([FromForm] string? SAMLRequest = null)
{
    //IDP-Initiated logout
    if (SAMLRequest != null)
    {
    //We have userId, session Id, not sure how to use it to identify user session
    var samlLogoutRequest = await samlService.ConsumeLogoutRequestAsyncSF(SAMLRequest);
    var userId = samlLogoutRequest.UserId; //userX@irahada.com
    var userSessionId = samlLogoutRequest.SessionId; //00D5O0000008epg0Ak5O00000SRM5e
                
    //Note: Following HTTPContext is null, and is doing nothing
    // What can I do that, I can identify the user session using userSessionId and then, sign him off
    await HttpContext.SignOutAsync();
    }
}

此外,以下是用于在 SSO 期间配置用户登录的 .net 代码,以防需要了解如何设置用户登录:

public async Task<IActionResult> SamlConsume([FromForm] string SAMLResponse)
{
            try
            {
                //parse the SAML Response and fetch SessionId
                var parsedSamlResponse = samlService.ParseAuthnResponse(SAMLResponse);
                
                var claimsIdentity = samlService.PrepareClaimsIdentity(parsedSamlResponse);
                //Following has been used to set sessionId in Claims which is 00D5O0000008epg0Ak5O00000SRM5e in current example
                //new Claim("SessionId", samlUser.SessionId)
                
                var authProperties = new AuthenticationProperties
                {
                    IsPersistent = true,
                };
                //The creates the .AspNetCore.cookies for the user session on browser
                await HttpContext.SignInAsync(
 CookieAuthenticationDefaults.AuthenticationScheme,
                    new ClaimsPrincipal(claimsIdentity),
                    authProperties);
            }
}
4

0 回答 0