How to single logout from Azure AD B2C with ITFoxTech SAML 2 library?

Question

I've implemented a Web Application (Angular frontend and .NET backend) with Azure B2C as identity provider with custom policies via SAML.

On the side of login everything is working fine. But now I'm struggeling with the single logout. What I want to achive is, that the user is logged out from Azure B2C and all web applications, when the user clicks on the logout button in the web app.

Therefore the Angular app calls the "singlelogout" endpoint of the backend, when clicking "Logout".

I'm using the ITFoxTech SAML2 library and the logout method is implemented as described in the documentation: https://www.itfoxtec.com/identitysaml2

[Route("SingleLogout")]
public async Task<IActionResult> SingleLogout()
{
    Saml2StatusCodes status;
var requestBinding = new Saml2PostBinding();
var logoutRequest = new Saml2LogoutRequest(config, User);
try
    {
        requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
        status = Saml2StatusCodes.Success;
        await logoutRequest.DeleteSession(HttpContext);
    }
catch (Exception exc)
    {
// log exception
        Debug.WriteLine("SingleLogout error: " + exc.ToString());
        status = Saml2StatusCodes.RequestDenied;
    }

var responsebinding = new Saml2PostBinding();
    responsebinding.RelayState = requestBinding.RelayState;
var saml2LogoutResponse = new Saml2LogoutResponse(config)
    {
        InResponseToAsString = logoutRequest.IdAsString,
        Status = status,
    };
return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
}

When the method is called the logoutRequest seems to be build correctly:

LogoutRequest

But then I get the following exception:

SingleLogout error: ITfoxtec.Identity.Saml2.Saml2BindingException: HTTP Form does not contain SAMLRequest
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature, Boolean detectReplayedTokens)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Request saml2Request)
   at durstgroup.myportal.webapp.Controllers.AuthController.SingleLogout() in /Users/xxxxx/dev/xxxx/xxxxxxxx/xxxxxx.myportal.webapp/Controllers/AuthController.cs:line 190

Has somebody an idea what I'm doing wrong?

Thanks for your help und kind regards Alex

Answer 1

The SingleLogout is called by an IdP (Azure AD B2C) if it wants to initiate logout in your relaying party application. You should call the Logout method to start the logout sequence. Like in the sample code.