Farzan Qureshi
2014-08-20 02:48:26 UTC
Hi,
We are using SAML logout documented at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO
When we send the NameID it is encoded based on the code below in
attribute-resolver.xml:
<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="objectGUID">
<resolver:Dependency ref="myLDAP" />
<resolver:*AttributeEncoder xsi:type="SAML2StringNameID*"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>
When a user log out, I get following in the logs (set to DEBUG) that
Session Manager couldn't find matching NameID. Therefore user is not logged
out. I am having a feeling may be it is because the attribute is encoded
before sending to the SP and thus when it returned by SP it is encoded and
needs to be decoded to match the NameID present in session manager. Am I
right? If yes then how I can achieve a logout?
14:32:55.131 - INFO [Shibboleth-Access:73] -
20140820T023255Z|192.168.110.92|idp.rosmini.school.nz:443
|/profile/SAML2/Redirect/SLO|
14:32:55.131 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86]
- shibboleth.HandlerManager: Looking up profile handler for request path:
/SAML2/Redirect/SLO
14:32:55.131 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97]
- shibboleth.HandlerManager: Located profile handler of the following type
for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler
14:32:55.132 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:154]
- Processing incoming SAML LogoutRequest
14:32:55.132 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:502]
- Decoding message with decoder binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
14:32:55.139 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for urn:federation:MicrosoftOnline
14:32:55.139 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for
urn:federation:MicrosoftOnline
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:516]
- Decoded request from relying party 'urn:federation:MicrosoftOnline'
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for urn:federation:MicrosoftOnline
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for
urn:federation:MicrosoftOnline
14:32:55.195 - DEBUG
*[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:259]
- Querying SessionManager based on NameID
'It6BhFXNZkOSF8USULeA9A==|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'14:32:55.195
- INFO
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:266]
- LogoutRequest did not reference an active session.*14:32:55.199 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796]
- Encoding response to SAML request _8e4c6d5b-304d-464a-be20-2505dd8dc7a8
from relying party urn:federation:MicrosoftOnline
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
We are using SAML logout documented at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO
When we send the NameID it is encoded based on the code below in
attribute-resolver.xml:
<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="objectGUID">
<resolver:Dependency ref="myLDAP" />
<resolver:*AttributeEncoder xsi:type="SAML2StringNameID*"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>
When a user log out, I get following in the logs (set to DEBUG) that
Session Manager couldn't find matching NameID. Therefore user is not logged
out. I am having a feeling may be it is because the attribute is encoded
before sending to the SP and thus when it returned by SP it is encoded and
needs to be decoded to match the NameID present in session manager. Am I
right? If yes then how I can achieve a logout?
14:32:55.131 - INFO [Shibboleth-Access:73] -
20140820T023255Z|192.168.110.92|idp.rosmini.school.nz:443
|/profile/SAML2/Redirect/SLO|
14:32:55.131 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86]
- shibboleth.HandlerManager: Looking up profile handler for request path:
/SAML2/Redirect/SLO
14:32:55.131 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97]
- shibboleth.HandlerManager: Located profile handler of the following type
for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler
14:32:55.132 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:154]
- Processing incoming SAML LogoutRequest
14:32:55.132 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:502]
- Decoding message with decoder binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
14:32:55.139 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for urn:federation:MicrosoftOnline
14:32:55.139 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for
urn:federation:MicrosoftOnline
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:516]
- Decoded request from relying party 'urn:federation:MicrosoftOnline'
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for urn:federation:MicrosoftOnline
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for
urn:federation:MicrosoftOnline
14:32:55.195 - DEBUG
*[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:259]
- Querying SessionManager based on NameID
'It6BhFXNZkOSF8USULeA9A==|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'14:32:55.195
- INFO
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:266]
- LogoutRequest did not reference an active session.*14:32:55.199 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796]
- Encoding response to SAML request _8e4c6d5b-304d-464a-be20-2505dd8dc7a8
from relying party urn:federation:MicrosoftOnline
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.