Friday, January 29, 2016

ADFS : SAML IDP Initiated SLO

ADFS v3.0 - Server 2012 R2.

Been doing a PoC with client IDP Initiated via ADFS to a SAML ASP.NET client built on the ComponentSpace SAML stack.

Getting the login to work was somewhat trivial, getting the logout to work was somewhat harder!

The first ADFS error I got was:

MSIS0040: Received LogoutRequest element that is not NameID

Looking at the actual request, I noticed NameID was missing. This was because it wasn't one of the assertions in the login.

So I added a Transform in the RP claims rules to transform email to NameID.

Still got the error and I noticed that the outgoing NameID format was different i.e. email vs. unspecified

Fixed that in the claims rule.

I then got:


The verification of the SAML message signature failed.
Message issuer: https://roryb-lt001/MvcExampleServiceProvider
Exception details:
MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties. 


I have no idea what the bottom part of the error means but the problem was that ComponentSpace wasn't signing the logout.

So I added:

SingleLogoutServiceUrl="https://xxxl/adfs/ls/"
SignLogoutRequest="true"

to the saml.config.

(Note that you need a logout service URL as well).

So you need:

  • A NameID
  • The NameID format in the Logout must match that in the Login
  • The Logout must be signed

The signing could also be altered by using one of the ADFS PowerShell cmdlets.

The working logout looks like:

<samlp:LogoutRequest ID="_48141811-d3ab-4d1c-b073-9d8b240489ec"
                     Version="2.0"
                     IssueInstant="2016-01-28T21:30:26.736Z"
                     Destination="https://xxx/CompanyApp/Logout.aspx"
                     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxx/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_48141811-d3ab-4d1c-b073-9d8b240489ec">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>9Zq1Y7AlKItUJdZYnIgpMxvzq48=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>pK+lQDO2/+zbXOSp8vzy...g82kSQ==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC8jC...2hdhC5uDwoc=</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
            >joeb@company.com</NameID>
    <samlp:SessionIndex>_d444eed6-1063-401a-8df1-11ea3f94b556</samlp:SessionIndex>
</samlp:LogoutRequest>

Enjoy!

No comments: