[SalesForce] Salesforce SAML Single logout

I have a single sign on functionality in my site with Salesforce as identity provider.

I have a saml enabled connected app in Salesforce, also it was single logout enabled.

I'm done with sign on, but i didn't understand how to logout the Salesforce identity provider when I logout from my application.

How can initiate the Salesforce logout from my .net application?

Best Answer

You'll want to follow the instructions in the documentation found at Configure SAML Settings for Single Logout When Salesforce Is the Identity Provider.

When Salesforce is the identity provider connected to an external SAML service provider, users log in to Salesforce. Salesforce uses SAML to log in users to the service provider through a connected app. When users log out of the service provider or the Salesforce session, they’re logged out of both.

You'll need the following:

Enable My Domain.

Make sure that the service provider supports SAML single logout (SLO).

Get the SAML SLO endpoint from the service provider.

Get the HTTP binding type from the service provider.

This implementation uses connected apps. You can configure SLO when you create and edit a connected app as a developer and distribute it to other orgs. Or you can create and manage SLO for a connected app within your org as an administrator. When you’re editing a connected app as a developer, your changes to the SLO configuration aren’t propagated to the page. As you change settings through connected app management pages, manually copy settings to the app creation page, if desired.

For an existing connected app: In Setup, enter apps in the Quick Find box, then select Manage Connected Apps.

Next to the connected app that you want to configure for SLO, click Edit. You are now editing the connected app configuration even though the path is through Manage Connected Apps

Under SAML Service Provider Settings, select Enable Single Logout.

For Single Logout URL, enter the SAML SLO endpoint of the connected app service provider. The URL must start with https://.

When Salesforce initiates the logout, it sends the logout request with the session index parameter to this SLO endpoint.

When the service provider initiates the logout, Salesforce sends the logout response to this SLO endpoint.

Select the HTTP binding type for SLO. The binding type determines where to put the logout request or logout response in the SAML request. The value is base64 encoded. The service provider gives you this information.

HTTP Redirect – in the query string, deflated.

HTTP POST – in the POST body, not deflated.

Provide your service provider with the Salesforce identity provider SLO endpoint. With this endpoint, the service provider can initiate SLO. Under SAML Login Information on the Connected App Detail page, it’s listed in the Single Logout Endpoint and the SAML Metadata Discovery Endpoint. The format for the endpoint is

https://.my.salesforce.com/services/auth/idp/saml2/logout, where is your org’s My Domain name.

Related Solutions

[SalesForce] “Unable to resolve request into a Service Provider” return by Salesforce Identity Provider for SAML 2.0 request

This usually has to do with the Entity ID field being incorrect in the Service Provider's Single Sign-On Configuration. Make sure it's the Service Provider's domain URL, not the Identity Provider's domain URL. (Which is kind of confusing because, why would you be entering the URL of the org you are already in? But that's how it is...)

This refers to step 5.7 of Implementing Single Sign-On Across Multiple Organizations.

[SalesForce] Dynamically adding custom attributes to SAML response

Looks like you pretty much have covered all the steps an admin can perform to configure salesforce as an Identity provider. He can update the custom attributes to be sent back as part of assertion, but is limited to available dropdown options provided by Salesforce (Mentioned in your question).

However, there is a possible way to extend the custom attribute response using code. Salesforce allows developers to extend the connected app using Custom Connected App Handler. This class needs to extend ConnectedAppPlugin Class to extend the Connect app behavior, as mentioned below:

Contains methods for extending the behavior of a connected app, for example, customizing how a connected app is invoked depending on the protocol used. This class gives you more control over the interaction between Salesforce and your connected app.

Create a class following the below sample code, to populate a map of custom attributes from your business data.

global class ConnectedAppPluginExample extends Auth.ConnectedAppPlugin{

    // Return a user’s permission set assignments
    global override Map<String,String> customAttributes(Id userId, Map<String,String> formulaDefinedAttributes) 
    {  
        //Query Data from your business objects
        List< ObjectName > businessOjbects = [Select [fieldNames] From ObjectName Where [certain conditions]];

        for ( ObjectName businessData :businessOjbects)
        {
            //Just a sample map populated with Unique Name and id
            formulaDefinedAttributes.put(businessData.Name,businessData.id);
        }
        return formulaDefinedAttributes;
    }
}

You can find more details here about the same https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_class_Auth_ConnectedAppPlugin.htm#apex_class_Auth_ConnectedAppPlugin

Update

Out of curiosity, I tried to implement it by myself (Between two SF orgs) and was able to pass additional SAML attributes as part of response.

This is what I did -

Follow steps listed down in this article to implement SSO between two SF orgs https://developer.salesforce.com/page/Implementing_Single_Sign-On_Across_Multiple_Organizations
Created a sample ConnectedApp handler class and selected it on the Connected App under Custom Connected App Handler section:

global class ConnectedAppPluginExample extends Auth.ConnectedAppPlugin{
    global override Map<String,String> customAttributes(Id userId, Map<String,String> formulaDefinedAttributes) 
    {  
        formulaDefinedAttributes.put('test','test');
        return formulaDefinedAttributes;
    } 
}

Note: There is a catch here. For some reason this class with version >37 is not working. So update its version to 36.

Installed google chrome extension to track SAML assertions. https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace
Tested the SSO and verified the SAML response with the custom attribute. Test attribute was present in the SAML response.

Update 2

Morover if you want to use higher API version you have to override customAttributes method like this:

  global override Map<String,String> customAttributes(Id userId, Id 
  connectedAppId, Map<String,String> formulaDefinedAttributes, 
  Auth.InvocationContext context) 
      {  ...

With additional connectedAppId and context attributes.

<saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">0057F000000dRXp 
    </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">sfsmarty@fsl.com
    </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">sfsmarty@yahoo.co.in
    </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false
    </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="test" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">test 
    </saml:AttributeValue>
</saml:Attribute>

Best Answer

Related Solutions

[SalesForce] “Unable to resolve request into a Service Provider” return by Salesforce Identity Provider for SAML 2.0 request

[SalesForce] Dynamically adding custom attributes to SAML response

Related Topic