Hi,
I have implemented varios SAML integrations using Componentspace and the high level API, but now I’ve run into an issue that it seems the high level API can’t handle.
Basically I’m implementing SSO against a ADFS identityprovider and while the login works fine, the logout is giving an error on ADFS’s end:
MSIS0040 Received LogoutRequest element that is not NameID.
My code for the logout request:
SAMLServiceProvider.InitiateSLO(Response, null, partnerIdP);
The generated logout request looks like this:
<samlp:LogoutRequest ID=“_832cb8f7-cbaa-41d1-9a75-b9e922d53d7c” Version=“2.0” IssueInstant=“2018-02-16T09:53:21.727Z” Destination=“xxxx” NotOnOrAfter=“2018-02-16T09:56:21.727Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>xxxx</saml:Issuer></samlp:LogoutRequest>
From reading about this it seams that in order for the logout request to contain the NameID, the authentication request needs to contain it as well.
This is my code for authenticating:
SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
And the request sent looks like this:
<samlp:AuthnRequest ID=“_810acffd-0984-4483-819c-5251db965c7d” Version=“2.0” IssueInstant=“2018-02-16T11:56:26.053Z” Destination=“xxxx” ForceAuthn=“false” IsPassive=“false” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“xxxx” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>xxxx</saml:Issuer><samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” AllowCreate=“true” /></samlp:AuthnRequest>
So there is basically no NameID specified and I don’t know how to provide that using the high level API.
So I need some guidance. Is it possible with the high level API? Are there any workarounds? If not, how do I go about doing it with the low level api?
I am using version 2.6.0.9
Kind regards,
David
Hi David
We return the NameID included in the SAML assertion received from ADFS.
If there’s no NameID in the SAML assertion then we can’t include one in the logout request.
In the ADFS claim rules for the relying party, please ensure there’s a rule that creates a NameID to be included in the SAML assertion.
Once that’s in place SAML logout should work.
[quote][/quote]
Hi David
We return the NameID included in the SAML assertion received from ADFS.
If there's no NameID in the SAML assertion then we can't include one in the logout request.
In the ADFS claim rules for the relying party, please ensure there's a rule that creates a NameID to be included in the SAML assertion.
Once that's in place SAML logout should work.
We return the NameID included in the SAML assertion received from ADFS.
If there's no NameID in the SAML assertion then we can't include one in the logout request.
In the ADFS claim rules for the relying party, please ensure there's a rule that creates a NameID to be included in the SAML assertion.
Once that's in place SAML logout should work.
Hi,
Thanks for the quick answer. I'm working on this now and will let you know if it doesn't work for us.
Kind regards,
David
Thanks David.