mmoshcs

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-11
01:34
938 views
SAML SLO results in blank page, login still valid
We have a AM Appliance that we are using as reverse proxy and a SAML IdP, we've setup SAML with a new app and login works correctly, the trouble is logging out.
When logging out the user ends up at https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank page, looking at the redirects path it took to get there I see the following
https://teach.shc.sa.edu.au/saml2?logout
https://portal.shc.sa.edu.au/nidp/saml2/slo
https://portal.shc.sa.edu.au/nidp/app?first=false
Now the app is internally signed out but if you go directly back to it, it redirects to the IdP which as there is a valid session logs the person back in, causing issues when people try and swap users. This is the first product we have that use SAML SLO so my knowledge of what is expected is limited
I found the following error in /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is clicked I see the following line appear, I can't find much on it unfortunately but it seems likely the primary issue
The is the SAML request sent from the app to the IdP
When logging out the user ends up at https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank page, looking at the redirects path it took to get there I see the following
https://teach.shc.sa.edu.au/saml2?logout
https://portal.shc.sa.edu.au/nidp/saml2/slo
https://portal.shc.sa.edu.au/nidp/app?first=false
Now the app is internally signed out but if you go directly back to it, it redirects to the IdP which as there is a valid session logs the person back in, causing issues when people try and swap users. This is the first product we have that use SAML SLO so my knowledge of what is expected is limited
I found the following error in /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is clicked I see the following line appear, I can't find much on it unfortunately but it seems likely the primary issue
Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!
The is the SAML request sent from the app to the IdP
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://portal.shc.sa.edu.au/nidp/saml2/slo"
ID="_17232456995c51fcb52ffa3e4503ef16" IssueInstant="2019-04-11T00:16:02.524Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://teach.shc.sa.edu.au/saml2</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_17232456995c51fcb52ffa3e4503ef16">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DR4pX9YjYr4Gwnm+4Dd9Qibxtb0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><REMOVED></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate><REMOVED></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">MattMunro</saml2:NameID>
</saml2p:LogoutRequest>
4 Replies


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-12
08:18
On 11-04-2019 10:36 AM, mmoshcs wrote:
>
> We have a AM Appliance that we are using as reverse proxy and a SAML
> IdP, we've setup SAML with a new app and login works correctly, the
> trouble is logging out.
>
> When logging out the user ends up at
> https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank
> page, looking at the redirects path it took to get there I see the
> following
>
> https://teach.shc.sa.edu.au/saml2?logout
> https://portal.shc.sa.edu.au/nidp/saml2/slo
> https://portal.shc.sa.edu.au/nidp/app?first=false
>
> Now the app is internally signed out but if you go directly back to it,
> it redirects to the IdP which as there is a valid session logs the
> person back in, causing issues when people try and swap users. This is
> the first product we have that use SAML SLO so my knowledge of what is
> expected is limited
>
> I found the following error in
> /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is
> clicked I see the following line appear, I can't find much on it
> unfortunately but it seems likely the primary issue
>
>
> Code:
> --------------------
> Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!
> --------------------
it kinda sounds like that the IDP after terminating the session wants to redirect the browser back to the SP but the metadata for the SP didn't
contain a SLO parameter. Its been a long time since i've done stuff with SLO so i'm not sure what the expected flow is. Can you check the metadata of
the SP and see if it has a SLO parameter defined as well?
--
Cheers,
Edward
>
> We have a AM Appliance that we are using as reverse proxy and a SAML
> IdP, we've setup SAML with a new app and login works correctly, the
> trouble is logging out.
>
> When logging out the user ends up at
> https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank
> page, looking at the redirects path it took to get there I see the
> following
>
> https://teach.shc.sa.edu.au/saml2?logout
> https://portal.shc.sa.edu.au/nidp/saml2/slo
> https://portal.shc.sa.edu.au/nidp/app?first=false
>
> Now the app is internally signed out but if you go directly back to it,
> it redirects to the IdP which as there is a valid session logs the
> person back in, causing issues when people try and swap users. This is
> the first product we have that use SAML SLO so my knowledge of what is
> expected is limited
>
> I found the following error in
> /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is
> clicked I see the following line appear, I can't find much on it
> unfortunately but it seems likely the primary issue
>
>
> Code:
> --------------------
> Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!
> --------------------
it kinda sounds like that the IDP after terminating the session wants to redirect the browser back to the SP but the metadata for the SP didn't
contain a SLO parameter. Its been a long time since i've done stuff with SLO so i'm not sure what the expected flow is. Can you check the metadata of
the SP and see if it has a SLO parameter defined as well?
--
Cheers,
Edward
jlrodriguez

Vice Admiral
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-12-22
21:51
Hi,
Could you find a solution for this? I run into the exact same problem setting up SAML federation with Adobe Sign.
Regards
Could you find a solution for this? I run into the exact same problem setting up SAML federation with Adobe Sign.
Regards
srajamanjit

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-12-23
00:04
You need to check the metadata of the Service Provider. Service Provider is sending a SAML LogOut Request to NAM. After logging out NAM needs to sends the SAML LogOut Response to Service Provider. To send this response NAM checks the metadata and acquire the SLO URL of Service Provider. If there is no SLO configured NAM will complain "end point not configured."


Cadet 2nd Class
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-12-24
10:51
Yes, this SP doesn't have a metadata URL and I created it manually, so I couldn't specify the SP SLO URL.
Creating a metadata file that includes that information has solved the problem. Thanks a lot.
Creating a metadata file that includes that information has solved the problem. Thanks a lot.