Friday, January 29, 2016

ADFS : SAML IDP Initiated SLO

ADFS v3.0 - Server 2012 R2.

Been doing a PoC with client IDP Initiated via ADFS to a SAML ASP.NET client built on the ComponentSpace SAML stack.

Getting the login to work was somewhat trivial, getting the logout to work was somewhat harder!

The first ADFS error I got was:

MSIS0040: Received LogoutRequest element that is not NameID

Looking at the actual request, I noticed NameID was missing. This was because it wasn't one of the assertions in the login.

So I added a Transform in the RP claims rules to transform email to NameID.

Still got the error and I noticed that the outgoing NameID format was different i.e. email vs. unspecified

Fixed that in the claims rule.

I then got:


The verification of the SAML message signature failed.
Message issuer: https://roryb-lt001/MvcExampleServiceProvider
Exception details:
MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties. 


I have no idea what the bottom part of the error means but the problem was that ComponentSpace wasn't signing the logout.

So I added:

SingleLogoutServiceUrl="https://xxxl/adfs/ls/"
SignLogoutRequest="true"

to the saml.config.

(Note that you need a logout service URL as well).

So you need:

  • A NameID
  • The NameID format in the Logout must match that in the Login
  • The Logout must be signed

The signing could also be altered by using one of the ADFS PowerShell cmdlets.

The working logout looks like:

<samlp:LogoutRequest ID="_48141811-d3ab-4d1c-b073-9d8b240489ec"
                     Version="2.0"
                     IssueInstant="2016-01-28T21:30:26.736Z"
                     Destination="https://xxx/CompanyApp/Logout.aspx"
                     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxx/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_48141811-d3ab-4d1c-b073-9d8b240489ec">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>9Zq1Y7AlKItUJdZYnIgpMxvzq48=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>pK+lQDO2/+zbXOSp8vzy...g82kSQ==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIIC8jC...2hdhC5uDwoc=</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
            >joeb@company.com</NameID>
    <samlp:SessionIndex>_d444eed6-1063-401a-8df1-11ea3f94b556</samlp:SessionIndex>
</samlp:LogoutRequest>

Enjoy!

5 comments:

jay yao said...

It is a great article!
Thanks a lot for sharing the solution.

jay yao said...

It is a great article!
Thanks a lot for sharing the solution.

jay yao said...

It is a great article!
Thanks a lot for sharing the solution.

Saurabh Saxena said...

I am having little unclear situation for my saml setup logout scenario:

I have a 3rd party saml SP (which only consume saml response) and my own one IDP. From asp.net mvc application(RP) I click on a link which redirect to IDP and generate SAML response and post to the 3rd party SP ACS url; and successfully logged;

Now how to do logout?
SP metadata has logout link (post binding) and ACS link. My IDP also has logout links(Redirect and POST).

Do I need to post LogoutRequest to SP logout link ?
Do I need to post LogoutRequest to SP ACS link ?
Do I need to post LogoutResponse to SP logout / ACS link ? (IDP initiated SLO ?)

Please help me to understand what to do.

Thanks
Saurabh

nzpcmad said...

You should have a logout endpoint in your IDP.

POST to that, the IDP deletes IDP cookies, when the SP gets the response, the SP deletes its cookies.