Logout from the partner identity provider is disabled

martvis · January 22, 2025, 3:55pm

We found an old version of ComponentSpace and decided to update it.
Upgraded from
ComponentSpace.SAML2, Version=4.6.0.0
=>
ComponentSpace.Saml2, Version=7.3.0.0

So far I’ve only changed EnableSha1Support = true, as SHA-1 was presumably the default back then (which is a different issue).

But I get this error when a user attempts to do logout:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException: Logout from the partner identity provider http://redacted-adfs-url/services/trust is disabled.
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSLO(HttpRequestBase httpRequest, Boolean& isRequest, String& logoutReason, String& partnerIdP, String& relayState)
   at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSLO(HttpRequestBase httpRequest, Boolean& isRequest, String& logoutReason, String& partnerIdP, String& relayState)
...

The PartnerIdentityProviderConfiguration is the following:

{
    "SingleSignOnServiceUrl": "https://redacted-adfs-url/ls/",
    "SingleSignOnServiceBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "SignAuthnRequest": false,
    "ForceAuthn": false,
    "WantAssertionOrResponseSigned": true,
    "WantSAMLResponseSigned": false,
    "WantAssertionSigned": true,
    "WantAssertionEncrypted": true,
    "ProviderName": null,
    "AuthnContextComparison": null,
    "DisableIdPInitiatedSso": false,
    "DisableAssertionReplayCheck": false,
    "DisableRecipientCheck": true,
    "DisableTimePeriodCheck": false,
    "DisableAudienceRestrictionCheck": false,
    "DisableAuthnContextCheck": false,
    "SingleLogoutServiceUrl": "https://redacted-adfs-url/ls/?wa=wsignout1.0",
    "SingleLogoutServiceResponseUrl": null,
    "SingleLogoutServiceBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "LogoutRequestLifeTime": "00:03:00",
    "SignLogoutRequest": true,
    "SignLogoutResponse": true,
    "WantLogoutRequestSigned": false,
    "WantLogoutResponseSigned": false,
    "EncryptLogoutNameID": false,
    "IssuerFormat": null,
    "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1",
    "SignatureMethod": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
    "WantDigestMethod": null,
    "WantSignatureMethod": null,
    "KeyEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
    "KeyEncryptionDigestMethod": null,
    "KeyEncryptionMaskGenerationFunction": null,
    "DataEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
    "ClockSkew": "01:00:00",
    "AuthnContext": null,
    "UseEmbeddedCertificate": false,
    "EnableSha1Support": true,
    "DisableDestinationCheck": true,
    "DisableInboundLogout": true,
    "DisableOutboundLogout": false,
    "DisableInResponseToCheck": false,
    "DisablePendingLogoutCheck": false,
    "DisableLogoutResponseStatusCheck": false,
    "DisableClearAllSessionsOnLogout": false,
    "PartnerCertificates": [
        {
            "Use": 3,
            "String": null,
            "Key": "",
            "FileName": "\\\\secret-path\\Certificate.crt",
            "Password": "",
            "PasswordKey": null,
            "StoreLocation": 2,
            "StoreName": "My",
            "SerialNumber": "",
            "Thumbprint": "",
            "SubjectName": "",
            "Id": 0
        }
    ],
    "Name": "http://redacted-adfs-url/services/trust",
    "Description": null,
    "LocalCertificates": [
    ],
    "Id": 0
}

The same ADFS configuration is working for the old version.
Any ideas of why I’m getting this and what needs to be changed to fix this issue?

ComponentSpace · January 22, 2025, 8:51pm

Make sure to set PartnerIdentityProviderConfiguration.DisableInboundLogout to false.

I recommend configuring ADFS to use SHA-256 rather than SHA-1. This setting is available under the relying party’s Advanced properties tab.

Also, you shouldn’t have to set DisableRecipientCheck and DisableDestinationCheck to true. If these flags are set to false and an error occurs, it’s most likely a configuration mismatch between ADFS and your SP.

martvis · January 23, 2025, 10:17am

Setting DisableInboundLogout resolved this issue, thanks for the help!

Yes, I wanted to make it work first before changing the algorithm to SHA-256.

And I’ll change DisableRecipientCheck and DisableDestinationCheck to false and see if that results in any error.

Thank you for the recommendations!

ComponentSpace · January 23, 2025, 11:21am

Thanks for the update.

martvis · January 23, 2025, 11:55am

After I changed the config to use SHA-256 I still get this error:

ComponentSpace.SAML2.Exceptions.SAMLNotSupportedException: SHA-1 algorithms are not supported.
   at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDigestMethod(String digestMethod)
   at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDigestAndSignatureMethods(XmlElement xmlElement)
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.VerifySAMLAssertionSignature(Object samlAssertion)
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.GetSAMLAssertion(SAMLResponse samlResponse, XmlElement samlResponseElement)
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
   at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
   at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, IDictionary`2& attributes, String& relayState)
...

{
    "SingleSignOnServiceUrl": "https://redacted-adfs-url/adfs/ls/",
    "SingleSignOnServiceBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "SignAuthnRequest": false,
    "ForceAuthn": false,
    "WantAssertionOrResponseSigned": true,
    "WantSAMLResponseSigned": false,
    "WantAssertionSigned": true,
    "WantAssertionEncrypted": true,
    "ProviderName": null,
    "AuthnContextComparison": null,
    "DisableIdPInitiatedSso": false,
    "DisableAssertionReplayCheck": false,
    "DisableRecipientCheck": false,
    "DisableTimePeriodCheck": false,
    "DisableAudienceRestrictionCheck": false,
    "DisableAuthnContextCheck": false,
    "SingleLogoutServiceUrl": "https://redacted-adfs-url/adfs/ls/?wa=wsignout1.0",
    "SingleLogoutServiceResponseUrl": null,
    "SingleLogoutServiceBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "LogoutRequestLifeTime": "00:03:00",
    "SignLogoutRequest": true,
    "SignLogoutResponse": true,
    "WantLogoutRequestSigned": false,
    "WantLogoutResponseSigned": false,
    "EncryptLogoutNameID": false,
    "IssuerFormat": null,
    "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "DigestMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "SignatureMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "WantDigestMethod": null,
    "WantSignatureMethod": null,
    "KeyEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
    "KeyEncryptionDigestMethod": null,
    "KeyEncryptionMaskGenerationFunction": null,
    "DataEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
    "ClockSkew": "01:00:00",
    "AuthnContext": null,
    "UseEmbeddedCertificate": false,
    "EnableSha1Support": false,
    "DisableDestinationCheck": false,
    "DisableInboundLogout": false,
    "DisableOutboundLogout": false,
    "DisableInResponseToCheck": false,
    "DisablePendingLogoutCheck": false,
    "DisableLogoutResponseStatusCheck": false,
    "DisableClearAllSessionsOnLogout": false,
    "PartnerCertificates": [
        {
            "Use": 3,
            "String": null,
            "Key": "",
            "FileName": "\\\\secret-path\\Certificate.crt",
            "Password": "",
            "PasswordKey": null,
            "StoreLocation": 2,
            "StoreName": "My",
            "SerialNumber": "",
            "Thumbprint": "",
            "SubjectName": "",
            "Id": 0
        }
    ],
    "Name": "http://redacted-adfs-url/adfs/services/trust",
    "Description": null,
    "LocalCertificates": [
    ],
    "Id": 0
}

What is still using SHA-1?

ComponentSpace · January 23, 2025, 8:11pm

It looks like ADFS is still signing using SHA-1 rather than SHA-256.

Please update the relying party properties in the ADFS admin console to specify SHA-256. This is under the Advanced properties tab.