SP Logout Flow problems

[adrianovaroli]

My project must implement SP-initiated Logout (we're the SP). I followed the code, implementing this (anonimized a bit)

my $idp = Net::SAML2::IdP->new_from_xml(
    xml           => $idp_metadata, # xml
    cacert        => '',
);
my $logout_request = Net::SAML2::Protocol::LogoutRequest->new(
    issuer        => $SP_FEDERATIONMETADATA_URL,
    nameid_format => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    destination   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
    nameid        => $user_email,
    session       => $sso_session_data->{"SSO_TOKEN"},
    id            => $sso_session_data->{"SSO_TOKEN"},
);
my $redirect = Net::SAML2::Binding::Redirect->new(
    key => $SP_SIGNING_KEY, # path to signing_key
    cert => $sp_cert, # xml
    destination   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
    param => 'SAMLRequest',
    sig_hash => 'sha256',
    url   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
);

# redirect happens, then
my $IDP_METADATA_FILENAME = "[rootdir]/stat/saml_data/idp_federationmetadata.xml";
my $idp_metadata = glib_fildir_03::read_file($IDP_METADATA_FILENAME);

my $idp = Net::SAML2::IdP->new_from_xml(
    xml => $idp_metadata,
    cacert => '',
    sls_force_lcase_url_encoding => 1,
);

my $redirect = eval { 
    Net::SAML2::Binding::Redirect->new(
        url   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
        key => $SP_SIGNING_KEY,
        cert => $idp->cert('signing'),
        sig_hash => 'sha256',
        param => 'SAMLResponse',
        sls_force_lcase_url_encoding => 1,
    );
};
if ($@) {
    print STDERR "Error[", scalar localtime, "] al generar objeto redirect.\n";
    print STDERR $@."\n";
    lib_utils::print_pag_result('Error', $logout_incomplete_msg);
}

my $uri = "[uri_to_verify]";

my ($response, $relaystate) = eval {
    $redirect->verify($uri);
};
if ($@) {
    print STDERR "ERROR: [", scalar localtime, "] SP-Initiated logout verification failed.\n";
    print STDERR $@."\n";
    lib_utils::print_pag_result('Error', $logout_incomplete_msg);
}

if (!$response) {
    print STDERR "ERROR: [", scalar localtime, "] SP-Initiated logout verification failed.\n";
    lib_utils::print_pag_result('Error', $logout_incomplete_msg);
}
my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(xml => $response);
if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
    my $sso_session_token = $logout->response_to;
    my ($user_id, $user_name, $user_profile) = &lib_saml::check_sso_user($sso_session_token);
    if (!$user_id) {
        print STDERR "Error[", scalar localtime, "] identifying user in SAML logout.\n";
        lib_utils::print_pag_result('Error', $logout_incomplete_msg);
    }
    $USERNAME_FROM_SAML = $user_name;
} else {
    print STDERR "Error[", scalar localtime, "] logout response was not \"Success\".\n";
    lib_utils::print_pag_result('Error', $logout_incomplete_msg);
}

And I'm consistently failing logout at the last else. The typical response looks like

<samlp:LogoutResponse ID="_3e1c5450-f793-4a9a-a244-c2d3599006e5" Version="2.0" IssueInstant="2022-08-11T18:16:31.955Z"
    Destination="[our_sp_logout_url]"
    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_8fabaf96-21e7-49ca-8f0c-e5a1eb6c07a3"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[idp_issuer_url]</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
    </samlp:Status>
</samlp:LogoutResponse>

Do you have any suggestion as to what I could be doing wrong?

[timlegge]

It would be good to see the LogoutRequest too. There are a couple of possibilities possibly the Issuer in your request or the SessionIndex (it should be the SessionIndex from the Assertion:

<?xml version="1.0" standalone="yes"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     Destination="https://login.microsoftonline.com/...../saml2"
                     IssueInstant="2022-08-12T00:34:03Z"
                     ID="NETSAML2_40ccd150ee2c0a767687128ec528d9b0707a94608d55cd4cf5eddb4a5cff7695"
                     Version="2.0">
  <saml:Issuer>https://netsaml2-testapp.local</saml:Issuer>
  <saml:NameID>e1e43e43-a2d5-a3a1-1e44-3aca41a62de1</saml:NameID>
  <samlp:SessionIndex>_34003144-ce98-4c60-a3fe-99f2d0394500</samlp:SessionIndex>
</samlp:LogoutRequest>

[adrianovaroli]

A logout request from yesterday's tries was:

<samlp:LogoutRequest Version="2.0" Destination="[idp domain]/adfs/ls" IssueInstant="2022-08-11T19:08:31Z" ID="_d9550cc0-584b-4171-a50e-6db3533bdc66">
    <saml:Issuer>[our metadata url]</saml:Issuer>
    <saml:NameID NameQualifier="[idp domain]/adfs/ls" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="[our metadata url">[my test email]</saml:NameID>
    <samlp:SessionIndex>_d9550cc0-584b-4171-a50e-6db3533bdc66</samlp:SessionIndex>
</samlp:LogoutRequest>

and the corresponding response:

<samlp:LogoutResponse ID="_e7328997-93f7-429b-885c-d3a985a426e8" Version="2.0" IssueInstant="2022-08-11T19:08:33.755Z" Destination="[our sp logout page]" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_d9550cc0-584b-4171-a50e-6db3533bdc66" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[idp domain]/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
    </samlp:Status>
</samlp:LogoutResponse>

[waterkip]

Does your IdP require the NameQualifier or the SPNameQualifier? What happens when you remove the NameQualifier and SPNameQualifier from the logout request? We may have a fix with 6c63ed1, but it isn't shipped yet.

[adrianovaroli]

I tried the three variants: removing SPNameQualifier, NameQualifier, and both, with the same result as above.

[waterkip]

I see in the Azure docs¹ that the sessionindex doesn't need to be supplied in the logout request.

Footnotes

1. https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol ↩

[timlegge]

Just to confirm you are going against Microsoft azure correct. My log out request that I put above was for azure so if you provide the same data it should work

[timlegge]

Can you also confirm that you are using the NameID from the Assertion? In my setup although Microsoft claims in my assertion that it is an email it is using e1e43e43-a2d5-a3a1-1e44-3aca41a62de1 as the NameID

[adrianovaroli]

Here's data from a complete flow:
init:

#$authn_request 
$VAR1 = bless( {
    'id' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7',
    'issuer' => bless( do{\(my $o = 'https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml')}, 'URI::https' ),
    'provider_name' => 'https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml',
    'issue_instant' => '2022-08-12T19:41:23Z',
    'AuthnContextClassRef' => [],
    'AuthnContextDeclRef' => [],
    'destination' => bless( do{\(my $o = 'https://[idp domain]/adfs/ls/')}, 'URI::https' ),
    'RequestedAuthnContext_Comparison' => 'exact'
}, 'Net::SAML2::Protocol::AuthnRequest' );
SAML request ID: NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7

callback:

#%assertion_data: 
$VAR1 = {
    'session' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5',
    'id' => 'NETSAML2_d958cfc58ce521990db1791140609c16',
    'not_after' => 1660351284,
    'email' => '[my test email]',
    'in_response_to' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7',
    'not_before' => 1660347684
};
#user_data for session: 
$VAR1 = {
    'expires' => 1660351284,
    'token' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5',
    'user_id' => 2,
    'refresh' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5'
};

logout:

#mod. req:
<?xml version="1.0" standalone="yes"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    Version="2.0"
    Destination="https://[idp domain]/adfs/ls/"
    IssueInstant="2022-08-12T19:42:14Z"
    ID="_8e34077a-c125-44f1-9f46-d8c060ef4fd5">
  <saml:Issuer>https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml</saml:Issuer>
  <saml:NameID NameQualifier="https://[idp domain]/adfs/ls/"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    >[my test email]</saml:NameID>
  <samlp:SessionIndex>_8e34077a-c125-44f1-9f46-d8c060ef4fd5</samlp:SessionIndex>
</samlp:LogoutRequest>

#logout response
$VAR1 = '<samlp:LogoutResponse ID="_9ddf1a7f-4277-46b2-97d1-24d0adf8eee9" Version="2.0" IssueInstant="2022-08-12T19:42:16.425Z" Destination="https://[our sp domain]/cgi-cpn/[our cms]_logout.cgi?_[our cms]_id=[our project]" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_8e34077a-c125-44f1-9f46-d8c060ef4fd5" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://[idp domain]/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /></samlp:Status></samlp:LogoutResponse>';
# logout response dump
$VAR1 = bless( {
    'id' => '_9ddf1a7f-4277-46b2-97d1-24d0adf8eee9',
    'issue_instant' => '2022-08-12T19:42:16Z',
    'response_to' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5',
    'issuer' => bless( do{\(my $o = 'http://[idp domain]/adfs/services/trust')}, 'URI::http' ),
    'destination' => bless( do{\(my $o = 'https://[our sp domain]/cgi-cpn/[our cms]_logout.cgi?_[our cms]_id=[our project]')}, 'URI::https' ),
    'substatus' => '',
    'status' => 'urn:oasis:names:tc:SAML:2.0:status:Requester'
}, 'Net::SAML2::Protocol::LogoutResponse' );

I also tried changing the nameid_format and the nameid to the identifier, but with the same results.

[timlegge]

You are missing the NameID. I will look at my Azure settings when I get home.

…

On Fri., Aug. 12, 2022, 4:50 p.m. Adriano Varoli Piazza, < ***@***.***> wrote: Here's data from a complete flow: init: #$authn_request $VAR1 = bless( { 'id' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7', 'issuer' => bless( do{\(my $o = 'https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml')}, 'URI::https' ), 'provider_name' => 'https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml', 'issue_instant' => '2022-08-12T19:41:23Z', 'AuthnContextClassRef' => [], 'AuthnContextDeclRef' => [], 'destination' => bless( do{\(my $o = 'https://[idp domain]/adfs/ls/')}, 'URI::https' ), 'RequestedAuthnContext_Comparison' => 'exact' }, 'Net::SAML2::Protocol::AuthnRequest' ); SAML request ID: NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7 callback: #%assertion_data: $VAR1 = { 'session' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5', 'id' => 'NETSAML2_d958cfc58ce521990db1791140609c16', 'not_after' => 1660351284, 'email' => '[my test email]', 'in_response_to' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7', 'not_before' => 1660347684 }; #user_data for session: $VAR1 = { 'expires' => 1660351284, 'token' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5', 'user_id' => 2, 'refresh' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5' }; logout: #mod. req: <?xml version="1.0" standalone="yes"?> <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" Destination="https://[idp domain]/adfs/ls/" IssueInstant="2022-08-12T19:42:14Z" ID="_8e34077a-c125-44f1-9f46-d8c060ef4fd5"> <saml:Issuer>https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml</saml:Issuer> <saml:NameID NameQualifier="https://[idp domain]/adfs/ls/" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" >[my test email]</saml:NameID> <samlp:SessionIndex>_8e34077a-c125-44f1-9f46-d8c060ef4fd5</samlp:SessionIndex> </samlp:LogoutRequest> #logout response $VAR1 = '<samlp:LogoutResponse ID="_9ddf1a7f-4277-46b2-97d1-24d0adf8eee9" Version="2.0" IssueInstant="2022-08-12T19:42:16.425Z" Destination="https://[our sp domain]/cgi-cpn/[our cms]_logout.cgi?_[our cms]_id=[our project]" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_8e34077a-c125-44f1-9f46-d8c060ef4fd5" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://[idp domain]/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /></samlp:Status></samlp:LogoutResponse>'; # logout response dump $VAR1 = bless( { 'id' => '_9ddf1a7f-4277-46b2-97d1-24d0adf8eee9', 'issue_instant' => '2022-08-12T19:42:16Z', 'response_to' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5', 'issuer' => bless( do{\(my $o = 'http://[idp domain]/adfs/services/trust')}, 'URI::http' ), 'destination' => bless( do{\(my $o = 'https://[our sp domain]/cgi-cpn/[our cms]_logout.cgi?_[our cms]_id=[our project]')}, 'URI::https' ), 'substatus' => '', 'status' => 'urn:oasis:names:tc:SAML:2.0:status:Requester' }, 'Net::SAML2::Protocol::LogoutResponse' ); I also tried changing the nameid_format and the nameid to the identifier, but with the same results. — Reply to this email directly, view it on GitHub <#101 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N66IMR6TGZISL2CW2IDVY2THFANCNFSM56JFS2GA> . You are receiving this because you commented.Message ID: <perl-net-saml2/perl-Net-SAML2/repo-discussions/101/comments/3386944@ github.com>

[timlegge]

My Claims are:  This is a test SP and I suspect that the objectid is incorrect but that does produce a nameID in the assertation. Timothy Legge ***@***.*** ***@***.***

…

On Fri, Aug 12, 2022 at 6:24 PM Timothy Legge ***@***.***> wrote: You are missing the NameID. I will look at my Azure settings when I get home. On Fri., Aug. 12, 2022, 4:50 p.m. Adriano Varoli Piazza, < ***@***.***> wrote: > Here's data from a complete flow: > init: > > #$authn_request > $VAR1 = bless( { > 'id' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7', > 'issuer' => bless( do{\(my $o = 'https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml')}, 'URI::https' ), > 'provider_name' => 'https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml', > 'issue_instant' => '2022-08-12T19:41:23Z', > 'AuthnContextClassRef' => [], > 'AuthnContextDeclRef' => [], > 'destination' => bless( do{\(my $o = 'https://[idp domain]/adfs/ls/')}, 'URI::https' ), > 'RequestedAuthnContext_Comparison' => 'exact' > }, 'Net::SAML2::Protocol::AuthnRequest' ); > SAML request ID: NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7 > > callback: > > #%assertion_data: > $VAR1 = { > 'session' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5', > 'id' => 'NETSAML2_d958cfc58ce521990db1791140609c16', > 'not_after' => 1660351284, > 'email' => '[my test email]', > 'in_response_to' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7', > 'not_before' => 1660347684 > }; > #user_data for session: > $VAR1 = { > 'expires' => 1660351284, > 'token' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5', > 'user_id' => 2, > 'refresh' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5' > }; > > logout: > > #mod. req: > <?xml version="1.0" standalone="yes"?> > <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > Version="2.0" > Destination="https://[idp domain]/adfs/ls/" > IssueInstant="2022-08-12T19:42:14Z" > ID="_8e34077a-c125-44f1-9f46-d8c060ef4fd5"> > <saml:Issuer>https://[our sp domain]/[our project]/stat/saml_data/sp_federationmetadata.xml</saml:Issuer> > <saml:NameID NameQualifier="https://[idp domain]/adfs/ls/" > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" > >[my test email]</saml:NameID> > <samlp:SessionIndex>_8e34077a-c125-44f1-9f46-d8c060ef4fd5</samlp:SessionIndex> > </samlp:LogoutRequest> > > #logout response > $VAR1 = '<samlp:LogoutResponse ID="_9ddf1a7f-4277-46b2-97d1-24d0adf8eee9" Version="2.0" IssueInstant="2022-08-12T19:42:16.425Z" Destination="https://[our sp domain]/cgi-cpn/[our cms]_logout.cgi?_[our cms]_id=[our project]" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_8e34077a-c125-44f1-9f46-d8c060ef4fd5" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://[idp domain]/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /></samlp:Status></samlp:LogoutResponse>'; > # logout response dump > $VAR1 = bless( { > 'id' => '_9ddf1a7f-4277-46b2-97d1-24d0adf8eee9', > 'issue_instant' => '2022-08-12T19:42:16Z', > 'response_to' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5', > 'issuer' => bless( do{\(my $o = 'http://[idp domain]/adfs/services/trust')}, 'URI::http' ), > 'destination' => bless( do{\(my $o = 'https://[our sp domain]/cgi-cpn/[our cms]_logout.cgi?_[our cms]_id=[our project]')}, 'URI::https' ), > 'substatus' => '', > 'status' => 'urn:oasis:names:tc:SAML:2.0:status:Requester' > }, 'Net::SAML2::Protocol::LogoutResponse' ); > > I also tried changing the nameid_format and the nameid to the identifier, > but with the same results. > > — > Reply to this email directly, view it on GitHub > <#101 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAH3N66IMR6TGZISL2CW2IDVY2THFANCNFSM56JFS2GA> > . > You are receiving this because you commented.Message ID: > <perl-net-saml2/perl-Net-SAML2/repo-discussions/101/comments/3386944@ > github.com> >

[adrianovaroli]

I'm sorry, where am I missing the NameID?

[timlegge]

Sorry, I meant to say that your assertion response is missing the NameID or you are not showing it in your output above. In my setup it is using e1e43e43-a2d5-a3a1-1e44-3aca41a62de1 as the NameID. I need to send that in the LogoutRequest as the NameId

[adrianovaroli]

The assertion I receive does include the nameid, which I then set in an "email" field for internal purposes.
The actual code is

my %assertion_data = (
    email' => $assertion->nameid,
    'id' => $assertion->id,
    'not_before' => $time_not_before,
    'not_after' => $time_not_after,
    'session' => $assertion->session,
    'in_response_to' => $assertion->in_response_to,
);

and Dumping it gives:

$VAR1 = {
    'session' => '_8e34077a-c125-44f1-9f46-d8c060ef4fd5',
    'id' => 'NETSAML2_d958cfc58ce521990db1791140609c16',
    'not_after' => 1660351284,
    'email' => '[my test email]',
    'in_response_to' => 'NETSAML2_ae99c55f5e3e64a8f772ec4cb9311db7',
    'not_before' => 1660347684
};

[adrianovaroli]

I've sent you the current metadata file by email to avoid assumptions.

[adrianovaroli]

Thanks to @timlegge, I managed to sort this out. He pointed me to https://stackoverflow.com/questions/44290083/proper-logoutrequest-for-single-logout-with-adfs-idp, in which it's mentioned that the NameID must be the same as in the SAML Response sent when logging in. In this case, I had to remove the Format, NameIdentifier and SPNameIdentifier attributes from the tag for the logout to work:

<saml:NameID>[my test email]</saml:NameID>

instead of

<saml:NameID NameQualifier="[idp domain]/adfs/ls" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="[our metadata url">[my test email]</saml:NameID>

An alternative is coordinating with the IdP and change the relevant claims, as the SO answer states.

[waterkip]

Did you extend the class or did you use 6c63ed1 (which is found in 0.58 TRIAL)?

[adrianovaroli]

The parameter nameid_format is not required, so I commented it. As for SPNameQualifier and NameQualifier, I read the returned XML and removed them manually. Eventually I'll install 0.58 or extend the class and do this the right way.