Hi,
we have some .NET Framework 4.8 build with SAML licensed package from 2020.
We are experiencing a problem with single log out. Our login provider says, that LogoutRequest is not build properly. They say, that attribute xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” should be in the samlp:LogoutRequest tag and not in saml:Issuer and saml:NameId.
This is how our service provider produces LogoutRequest:
Both are equally valid. The XML namespace declaration can be at the XML element or one of its ancestor elements.
All XML that we generate, including logout messages, validates against the SAML XML schema.
You can check this yourself using the ValidateAgainstSchema console app project under the Examples\Utility folder.
We use the .NET framework classes for constructing the XML. These classes determine the optimum placement of the XML declarations. The assertion namespace declaration isn’t required at the LogoutRequest element level and therefore isn’t placed there.
If the partner provider cannot process the logout request, this is a limitation in their implementation.
However, I would check with them that this is the actual error. There might be some other issue and they’ve looked at the logout request XML and decided the namespace declarations are the issue, perhaps not fully understanding how XML works.
Hi again,
If the IdP fails with message “The site you try to log on has wrong signature”, where should I look for the problem?
The log in works fine, the certificates are OK. The ComponentSpace’s log shows no error only success message:
“An SSO response from the partner identity provider https://et-broker.unilogin.dk/auth/realms/broker has been successfully received.”
That sounds like an error being reported at the IdP rather than at your SP site.
It’s odd that they would report a signature issue but proceed with the login and then send a successful SAML response to your SP.
I suggest asking for more detail from the IdP. If it’s a signature issue, check that they’re using the correct SP certificate to verify the signature on the SAML authn request.
If there’s still an issue, please send the SAML log file as an email attachment to support@componentspace.com mentioning your form post.
But shouldn’t be there the signature element in the logout request we send?
Look at the first screenshot in the first post - ther isn’t any.
The saml.config looks like this:
By default logout messages are sent using the HTTP-Redirect binding rather than HTTP-Post.
The logout request is sent as an encoded query string parameter. It isn’t signed using an XML signature as this could result in a URL that’s too long for browsers. The HTTP-Redirect binding defines a different signature mechanism with the signature included as a separate query string parameter.
That makes sense.
But I couldn’t see the last part in query string in the SAML log.
Until I explicit added SignLogoutRequest=“true” to PartnerIdentityProvider in saml.config (which should be true per default).
And now everything works!!!