Been doing a PoC with client IDP Initiated via ADFS to a SAML ASP.NET client built on the ComponentSpace SAML stack.
Getting the login to work was somewhat trivial, getting the logout to work was somewhat harder!
The first ADFS error I got was:
MSIS0040: Received LogoutRequest element that is not NameID
Looking at the actual request, I noticed NameID was missing. This was because it wasn't one of the assertions in the login.
So I added a Transform in the RP claims rules to transform email to NameID.
Still got the error and I noticed that the outgoing NameID format was different i.e. email vs. unspecified
Fixed that in the claims rule.
I then got:
The verification of the SAML message signature failed.
Message issuer: https://roryb-lt001/MvcExampleServiceProvider
Exception details:
MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.
I have no idea what the bottom part of the error means but the problem was that ComponentSpace wasn't signing the logout.
So I added:
SingleLogoutServiceUrl="https://xxxl/adfs/ls/"
SignLogoutRequest="true"
to the saml.config.
(Note that you need a logout service URL as well).
So you need:
- A NameID
- The NameID format in the Logout must match that in the Login
- The Logout must be signed
The signing could also be altered by using one of the ADFS PowerShell cmdlets.
The working logout looks like:
<samlp:LogoutRequest ID="_48141811-d3ab-4d1c-b073-9d8b240489ec"
Version="2.0"
IssueInstant="2016-01-28T21:30:26.736Z"
Destination="https://xxx/CompanyApp/Logout.aspx"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxx/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_48141811-d3ab-4d1c-b073-9d8b240489ec">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>9Zq1Y7AlKItUJdZYnIgpMxvzq48=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>pK+lQDO2/+zbXOSp8vzy...g82kSQ==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC8jC...2hdhC5uDwoc=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>joeb@company.com</NameID>
<samlp:SessionIndex>_d444eed6-1063-401a-8df1-11ea3f94b556</samlp:SessionIndex>
</samlp:LogoutRequest>Enjoy!
5 comments:
It is a great article!
Thanks a lot for sharing the solution.
It is a great article!
Thanks a lot for sharing the solution.
It is a great article!
Thanks a lot for sharing the solution.
I am having little unclear situation for my saml setup logout scenario:
I have a 3rd party saml SP (which only consume saml response) and my own one IDP. From asp.net mvc application(RP) I click on a link which redirect to IDP and generate SAML response and post to the 3rd party SP ACS url; and successfully logged;
Now how to do logout?
SP metadata has logout link (post binding) and ACS link. My IDP also has logout links(Redirect and POST).
Do I need to post LogoutRequest to SP logout link ?
Do I need to post LogoutRequest to SP ACS link ?
Do I need to post LogoutResponse to SP logout / ACS link ? (IDP initiated SLO ?)
Please help me to understand what to do.
Thanks
Saurabh
You should have a logout endpoint in your IDP.
POST to that, the IDP deletes IDP cookies, when the SP gets the response, the SP deletes its cookies.
Post a Comment