Hi,
I need to run login and logout SP with ADFS. My web application work with ADFS, and login is fine, but I have challenge with logout and when I use default config with logout it does not work and error come from bad configuration in SAML.config.
Can you please give me a simple SAML.config with SSO and SLO at Web application example ?
The following is from our ExampleServiceProvider’s saml.config.
<PartnerIdentityProvider Name=“<a href=“http://adfs.test/adfs/services/trust””>http://adfs.test/adfs/services/trust"
Description=“ADFS”
SignAuthnRequest=“true”
SignLogoutRequest=“true”
WantAssertionEncrypted=“true”
WantLogoutResponseSigned=“true”
SingleSignOnServiceUrl=“<a href=“https://adfs.test/adfs/ls/””>https://adfs.test/adfs/ls/“
SingleLogoutServiceUrl=”<a href=“https://adfs.test/adfs/ls/”“>https://adfs.test/adfs/ls/”
PartnerCertificateFile=“Certificates\adfs.cer”/>
Your configuration will have a different Name and URL properties.
If you’re still having an issue, please send your saml.config file to support@componentspace.com.
Also, please enable SAML trace and include the generated log file as an email attachment.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
[quote][/quote]
The following is from our ExampleServiceProvider's saml.config.
http://adfs.test/adfs/services/trust"
Description="ADFS"
SignAuthnRequest="true"
SignLogoutRequest="true"
WantAssertionEncrypted="true"
WantLogoutResponseSigned="true"
SingleSignOnServiceUrl="https://adfs.test/adfs/ls/"
SingleLogoutServiceUrl="https://adfs.test/adfs/ls/"
PartnerCertificateFile="Certificates\adfs.cer"/>
Your configuration will have a different Name and URL properties.
If you're still having an issue, please send your saml.config file to support@componentspace.com.
Also, please enable SAML trace and include the generated log file as an email attachment.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
http://adfs.test/adfs/services/trust"
Description="ADFS"
SignAuthnRequest="true"
SignLogoutRequest="true"
WantAssertionEncrypted="true"
WantLogoutResponseSigned="true"
SingleSignOnServiceUrl="https://adfs.test/adfs/ls/"
SingleLogoutServiceUrl="https://adfs.test/adfs/ls/"
PartnerCertificateFile="Certificates\adfs.cer"/>
Your configuration will have a different Name and URL properties.
If you're still having an issue, please send your saml.config file to support@componentspace.com.
Also, please enable SAML trace and include the generated log file as an email attachment.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Thank you so much for your answer. I changed some value and used this config on my SP. but I have still error. It is happening after I put my Username and pass on ADFS dialog and click ok.
Please ensure that your assertion consumer service URL is configured for your relying party in ADFS.
This is under the Endpoints tab and is the SAML Assertion Consumer Endpoint.
The assertion consumer service is the endpoint where you call SAMLServiceProvider.ReceiveSSO.
For example: “http://www.sp.com/MvcExampleServiceProvider/SAML/AssertionConsumerService.aspx”.
Hi, I check all address and certificate, everything are fine all address in Endpoint is correct. but every time that I want to log in after put username and pass on ADFS dialog box I got an error and under below is an error on ADFS log. Please if you could help me to remove this issue.
----------------------------------------
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
urn:componentspace:ExampleServiceProvider
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.AssertionConsumerServiceUrlDoesNotMatchPolicyException: MSIS3200: No AssertionConsumerService is configured on the relying party trust ‘urn:componentspace:ExampleServiceProvider’ that is a prefix match of the AssertionConsumerService URL ‘http://www.sp.com/ExampleServiceProvider/SAML/AssertionConsumerService.aspx’ specified by the request.
at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity)
at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription)
The AssertionConsumerServiceUrlDoesNotMatchPolicyException means that the specified assertion consumer service URL isn’t configured for the relying party.
Please ensure the URL http://www.sp.com/ExampleServiceProvider/SAML/AssertionConsumerService.aspx is listed under the ExampleServiceProvider relying party’s properties End Points tab as an assertion consumer service.
If there’s still an issue, include the ADFS error event log entries as well as the End Points property tab.
Are the screen shots related?
These show ADFS complaining that no signature certificate is configured for the ExampleIdentityProvider claims provider.
Are you using both the ExampleServiceProvider relying party and ExampleIdentityProvider claims provider?
[quote][/quote]
The AssertionConsumerServiceUrlDoesNotMatchPolicyException means that the specified assertion consumer service URL isn't configured for the relying party.
Please ensure the URL http://www.sp.com/ExampleServiceProvider/SAML/AssertionConsumerService.aspx is listed under the ExampleServiceProvider relying party's properties End Points tab as an assertion consumer service.
If there's still an issue, include the ADFS error event log entries as well as the End Points property tab.
Are the screen shots related?
These show ADFS complaining that no signature certificate is configured for the ExampleIdentityProvider claims provider.
Are you using both the ExampleServiceProvider relying party and ExampleIdentityProvider claims provider?
Please ensure the URL http://www.sp.com/ExampleServiceProvider/SAML/AssertionConsumerService.aspx is listed under the ExampleServiceProvider relying party's properties End Points tab as an assertion consumer service.
If there's still an issue, include the ADFS error event log entries as well as the End Points property tab.
Are the screen shots related?
These show ADFS complaining that no signature certificate is configured for the ExampleIdentityProvider claims provider.
Are you using both the ExampleServiceProvider relying party and ExampleIdentityProvider claims provider?
Thank you, I called IIS url with HTTPS, and my ADFS server and ISP time zone was different and I change them and set to one time zone then I test it. I can login and it is successful but when I click on logout and trace code, IsRequest Boolean is always false and it is not going to this condition.
Could you please say to me how can I log out with line code red color in below?
namespace ExampleServiceProvider.SAML
{
public partial class SLOService : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
.....
SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP, out relayState);
if (isRequest)
{
// Logout locally.
FormsAuthentication.SignOut();
// Respond to the IdP-initiated SLO request indicating successful logout.
SAMLServiceProvider.SendSLO(Response, null);
}
else
{
// SP-initiated SLO has completed.
FormsAuthentication.RedirectToLoginPage();
}
SAMLServiceProvider.ReceiveSLO can receive either a SAML logout request or logout response.
The isRequest parameter is set to true if a logout request is received and to false if a logout response is received.
For SP-initiated SLO, ie where you’ve previously called SAMLServiceProvider.InitiateSLO, you would expect isRequest to be false as the IdP is sending a logout response.
For IdP-initiated SLO, you would expect isRequest to be true as the IdP is sending a logout request. You then need to call SAMLServiceProvider.SendSLO to send a logout response.
The code you’ve highlighted is to handle IdP-initiated SLO. You would need to initiate logout from the IdP for this to execute.
[quote][/quote]
SAMLServiceProvider.ReceiveSLO can receive either a SAML logout request or logout response.
The isRequest parameter is set to true if a logout request is received and to false if a logout response is received.
For SP-initiated SLO, ie where you’ve previously called SAMLServiceProvider.InitiateSLO, you would expect isRequest to be false as the IdP is sending a logout response.
For IdP-initiated SLO, you would expect isRequest to be true as the IdP is sending a logout request. You then need to call SAMLServiceProvider.SendSLO to send a logout response.
The code you’ve highlighted is to handle IdP-initiated SLO. You would need to initiate logout from the IdP for this to execute.
The isRequest parameter is set to true if a logout request is received and to false if a logout response is received.
For SP-initiated SLO, ie where you’ve previously called SAMLServiceProvider.InitiateSLO, you would expect isRequest to be false as the IdP is sending a logout response.
For IdP-initiated SLO, you would expect isRequest to be true as the IdP is sending a logout request. You then need to call SAMLServiceProvider.SendSLO to send a logout response.
The code you’ve highlighted is to handle IdP-initiated SLO. You would need to initiate logout from the IdP for this to execute.
Thank you so much.
You’re welcome.