Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Commodore
Commodore
938 views

SAML SLO results in blank page, login still valid

We have a AM Appliance that we are using as reverse proxy and a SAML IdP, we've setup SAML with a new app and login works correctly, the trouble is logging out.

When logging out the user ends up at https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank page, looking at the redirects path it took to get there I see the following

https://teach.shc.sa.edu.au/saml2?logout
https://portal.shc.sa.edu.au/nidp/saml2/slo
https://portal.shc.sa.edu.au/nidp/app?first=false

Now the app is internally signed out but if you go directly back to it, it redirects to the IdP which as there is a valid session logs the person back in, causing issues when people try and swap users. This is the first product we have that use SAML SLO so my knowledge of what is expected is limited

I found the following error in /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is clicked I see the following line appear, I can't find much on it unfortunately but it seems likely the primary issue

Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!


The is the SAML request sent from the app to the IdP

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://portal.shc.sa.edu.au/nidp/saml2/slo"
ID="_17232456995c51fcb52ffa3e4503ef16" IssueInstant="2019-04-11T00:16:02.524Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://teach.shc.sa.edu.au/saml2</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_17232456995c51fcb52ffa3e4503ef16">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DR4pX9YjYr4Gwnm+4Dd9Qibxtb0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><REMOVED></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate><REMOVED></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">MattMunro</saml2:NameID>
</saml2p:LogoutRequest>
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 11-04-2019 10:36 AM, mmoshcs wrote:
>
> We have a AM Appliance that we are using as reverse proxy and a SAML
> IdP, we've setup SAML with a new app and login works correctly, the
> trouble is logging out.
>
> When logging out the user ends up at
> https://portal.shc.sa.edu.au/nidp/app?first=false which is just a blank
> page, looking at the redirects path it took to get there I see the
> following
>
> https://teach.shc.sa.edu.au/saml2?logout
> https://portal.shc.sa.edu.au/nidp/saml2/slo
> https://portal.shc.sa.edu.au/nidp/app?first=false
>
> Now the app is internally signed out but if you go directly back to it,
> it redirects to the IdP which as there is a valid session logs the
> person back in, causing issues when people try and swap users. This is
> the first product we have that use SAML SLO so my knowledge of what is
> expected is limited
>
> I found the following error in
> /var/opt/novell/nam/logs/idp/tomcat/catalina.out and when the logout is
> clicked I see the following line appear, I can't find much on it
> unfortunately but it seems likely the primary issue
>
>
> Code:
> --------------------
> Warning: Invalid resource key: No binding set for LogoutResponse. No prefix!
> --------------------


it kinda sounds like that the IDP after terminating the session wants to redirect the browser back to the SP but the metadata for the SP didn't
contain a SLO parameter. Its been a long time since i've done stuff with SLO so i'm not sure what the expected flow is. Can you check the metadata of
the SP and see if it has a SLO parameter defined as well?


--
Cheers,
Edward
0 Likes
Vice Admiral
Vice Admiral

Hi,
Could you find a solution for this? I run into the exact same problem setting up SAML federation with Adobe Sign.
Regards
0 Likes
Micro Focus Expert
Micro Focus Expert

You need to check the metadata of the Service Provider. Service Provider is sending a SAML LogOut Request to NAM. After logging out NAM needs to sends the SAML LogOut Response to Service Provider. To send this response NAM checks the metadata and acquire the SLO URL of Service Provider. If there is no SLO configured NAM will complain "end point not configured."

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Yes, this SP doesn't have a metadata URL and I created it manually, so I couldn't specify the SP SLO URL.
Creating a metadata file that includes that information has solved the problem. Thanks a lot.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.