Friday, January 29, 2016


ADFS v3.0 - Server 2012 R2.

Been doing a PoC with client IDP Initiated via ADFS to a SAML ASP.NET client built on the ComponentSpace SAML stack.

Getting the login to work was somewhat trivial, getting the logout to work was somewhat harder!

The first ADFS error I got was:

MSIS0040: Received LogoutRequest element that is not NameID

Looking at the actual request, I noticed NameID was missing. This was because it wasn't one of the assertions in the login.

So I added a Transform in the RP claims rules to transform email to NameID.

Still got the error and I noticed that the outgoing NameID format was different i.e. email vs. unspecified

Fixed that in the claims rule.

I then got:

The verification of the SAML message signature failed.
Message issuer: https://roryb-lt001/MvcExampleServiceProvider
Exception details:
MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties. 

I have no idea what the bottom part of the error means but the problem was that ComponentSpace wasn't signing the logout.

So I added:


to the saml.config.

(Note that you need a logout service URL as well).

So you need:

  • A NameID
  • The NameID format in the Logout must match that in the Login
  • The Logout must be signed

The signing could also be altered by using one of the ADFS PowerShell cmdlets.

The working logout looks like:

<samlp:LogoutRequest ID="_48141811-d3ab-4d1c-b073-9d8b240489ec"
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxx/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="">
            <ds:CanonicalizationMethod Algorithm="" />
            <ds:SignatureMethod Algorithm="" />
            <ds:Reference URI="#_48141811-d3ab-4d1c-b073-9d8b240489ec">
                    <ds:Transform Algorithm="" />
                    <ds:Transform Algorithm="" />
                <ds:DigestMethod Algorithm="" />
        <KeyInfo xmlns="">
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"



jay yao said...

It is a great article!
Thanks a lot for sharing the solution.

jay yao said...

It is a great article!
Thanks a lot for sharing the solution.

jay yao said...

It is a great article!
Thanks a lot for sharing the solution.

Saurabh Saxena said...

I am having little unclear situation for my saml setup logout scenario:

I have a 3rd party saml SP (which only consume saml response) and my own one IDP. From mvc application(RP) I click on a link which redirect to IDP and generate SAML response and post to the 3rd party SP ACS url; and successfully logged;

Now how to do logout?
SP metadata has logout link (post binding) and ACS link. My IDP also has logout links(Redirect and POST).

Do I need to post LogoutRequest to SP logout link ?
Do I need to post LogoutRequest to SP ACS link ?
Do I need to post LogoutResponse to SP logout / ACS link ? (IDP initiated SLO ?)

Please help me to understand what to do.


nzpcmad said...

You should have a logout endpoint in your IDP.

POST to that, the IDP deletes IDP cookies, when the SP gets the response, the SP deletes its cookies.