mmoshcs
mmoshcs Super Contributor.
Super Contributor.
‎2019-04-11 01:34
285 views

SAML SLO results in blank page, login still valid

We have a AM Appliance that we are using as reverse proxy and a SAML IdP, we've setup SAML with a new app and login works correctly, the trouble is logging out.

When logging out the user ends up at https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank page, looking at the redirects path it took to get there I see the following

https://teach.shc.sa.edu.au/saml2?logout
https://portal.shc.sa.edu.au/nidp/saml2/slo
https://portal.shc.sa.edu.au/nidp/app?first=false

Now the app is internally signed out but if you go directly back to it, it redirects to the IdP which as there is a valid session logs the person back in, causing issues when people try and swap users. This is the first product we have that use SAML SLO so my knowledge of what is expected is limited

I found the following error in /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is clicked I see the following line appear, I can't find much on it unfortunately but it seems likely the primary issue

Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!


The is the SAML request sent from the app to the IdP

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://portal.shc.sa.edu.au/nidp/saml2/slo"
    ID="_17232456995c51fcb52ffa3e4503ef16" IssueInstant="2019-04-11T00:16:02.524Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://teach.shc.sa.edu.au/saml2</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_17232456995c51fcb52ffa3e4503ef16">
                <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>DR4pX9YjYr4Gwnm+4Dd9Qibxtb0=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue><REMOVED></ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate><REMOVED></ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">MattMunro</saml2:NameID>
</saml2p:LogoutRequest>
0 Likes
Reply
1 Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2019-04-12 08:18

Re: SAML SLO results in blank page, login still valid

On 11-04-2019 10:36 AM, mmoshcs wrote:
>
> We have a AM Appliance that we are using as reverse proxy and a SAML
> IdP, we've setup SAML with a new app and login works correctly, the
> trouble is logging out.
>
> When logging out the user ends up at
> https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank
> page, looking at the redirects path it took to get there I see the
> following
>
> https://teach.shc.sa.edu.au/saml2?logout
> https://portal.shc.sa.edu.au/nidp/saml2/slo
> https://portal.shc.sa.edu.au/nidp/app?first=false
>
> Now the app is internally signed out but if you go directly back to it,
> it redirects to the IdP which as there is a valid session logs the
> person back in, causing issues when people try and swap users. This is
> the first product we have that use SAML SLO so my knowledge of what is
> expected is limited
>
> I found the following error in
> /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is
> clicked I see the following line appear, I can't find much on it
> unfortunately but it seems likely the primary issue
>
>
> Code:
> --------------------
> Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!
> --------------------

it kinda sounds like that the IDP after terminating the session wants to redirect the browser back to the SP but the metadata for the SP didn't
contain a SLO parameter. Its been a long time since i've done stuff with SLO so i'm not sure what the expected flow is. Can you check the metadata of
the SP and see if it has a SLO parameter defined as well?


--
Cheers,
Edward
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.