Discussion:
NameID encoding and decoding
Farzan Qureshi
2014-08-20 02:48:26 UTC
Permalink
Hi,

We are using SAML logout documented at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO

When we send the NameID it is encoded based on the code below in
attribute-resolver.xml:

<!-- Use AD objectGUID for ImmutableID -->
<resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="objectGUID">
<resolver:Dependency ref="myLDAP" />

<resolver:*AttributeEncoder xsi:type="SAML2StringNameID*"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>


When a user log out, I get following in the logs (set to DEBUG) that
Session Manager couldn't find matching NameID. Therefore user is not logged
out. I am having a feeling may be it is because the attribute is encoded
before sending to the SP and thus when it returned by SP it is encoded and
needs to be decoded to match the NameID present in session manager. Am I
right? If yes then how I can achieve a logout?






14:32:55.131 - INFO [Shibboleth-Access:73] -
20140820T023255Z|192.168.110.92|idp.rosmini.school.nz:443
|/profile/SAML2/Redirect/SLO|
14:32:55.131 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86]
- shibboleth.HandlerManager: Looking up profile handler for request path:
/SAML2/Redirect/SLO
14:32:55.131 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97]
- shibboleth.HandlerManager: Located profile handler of the following type
for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler
14:32:55.132 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:154]
- Processing incoming SAML LogoutRequest
14:32:55.132 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:502]
- Decoding message with decoder binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
14:32:55.139 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for urn:federation:MicrosoftOnline
14:32:55.139 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for
urn:federation:MicrosoftOnline
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:516]
- Decoded request from relying party 'urn:federation:MicrosoftOnline'
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128]
- Looking up relying party configuration for urn:federation:MicrosoftOnline
14:32:55.194 - DEBUG
[edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130]
- Custom relying party configuration found for
urn:federation:MicrosoftOnline
14:32:55.195 - DEBUG

*[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:259]
- Querying SessionManager based on NameID
'It6BhFXNZkOSF8USULeA9A==|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'14:32:55.195
- INFO
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:266]
- LogoutRequest did not reference an active session.*14:32:55.199 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796]
- Encoding response to SAML request _8e4c6d5b-304d-464a-be20-2505dd8dc7a8
from relying party urn:federation:MicrosoftOnline
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-20 02:55:21 UTC
Permalink
Post by Farzan Qureshi
When a user log out, I get following in the logs (set to DEBUG) that
Session Manager couldn't find matching NameID. Therefore user is not
logged out. I am having a feeling may be it is because the attribute is
encoded before sending to the SP and thus when it returned by SP it is
encoded and needs to be decoded to match the NameID present in session
manager. Am I right?
No, you're not right. The value sent to the SP is literally what's stored
in the cache for lookup.
Post by Farzan Qureshi
If yes then how I can achieve a logout?
Figure out why it's not finding the session, I guess.

I seem to recall a bug in which Microsoft dropped part of the NameID
structure when it made the logout request, and that causes a mismatch.
That's a vague memory, so I would search the archive unless somebody else
recalls.

You could trace the outgoing assertion and see what's in the NameID and
compare it to what's in the incoming message.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Rob Gorrell
2014-08-20 18:23:07 UTC
Permalink
Post by Cantor, Scott
I seem to recall a bug in which Microsoft dropped part of the NameID
structure when it made the logout request, and that causes a mismatch.
That's a vague memory, so I would search the archive unless somebody else
recalls.
I don't believe is an issue (though I'm not familiar with the issue Scott
speaks of)...
we have no problem performing an IdP logout in O365.

-Rob
Cantor, Scott
2014-08-20 18:27:13 UTC
Permalink
Post by Rob Gorrell
I don't believe is an issue (though I'm not familiar with the issue Scott
speaks of)...
we have no problem performing an IdP logout in O365.
Is it a SAML logout request though?

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Rob Gorrell
2014-08-20 18:34:05 UTC
Permalink
forgive me Scott, i'm learning here... but I went to my browser and did a
logout from O365 with SSO tracer enabled and I get...

<saml:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://idp.uncg.edu/idp/logout.jsp"
ID="_90b70d22-ce6d-40d6-b401-19e52dac240c"
Version="2.0"
IssueInstant="2014-08-20T18:32:12Z"
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</saml:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
6FWRsKuUH0GbMF8EiYLrbw==</saml:NameID>
</saml:LogoutRequest>

That would be a SAML logout request, no?
-Rob
Post by Rob Gorrell
I don't believe is an issue (though I'm not familiar with the issue Scott
speaks of)...
we have no problem performing an IdP logout in O365.
Is it a SAML logout request though?
-- Scott
--
To unsubscribe from this list send an email to
--
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
Cantor, Scott
2014-08-20 18:39:43 UTC
Permalink
Post by Rob Gorrell
That would be a SAML logout request, no?
Yeah. So the OP's problem would be user error in some form.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...