Hi, on Logout request always used ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’ as NameIDFormat, regardless configuration.
1. Before call InitiateSLO, settings screenshot https://www.screencast.com/t/zDpZmOlBa7
2. XML in OnLogoutRequestSent Observer https://www.screencast.com/t/3WIMpywec
As You can see, the setting is ignored. How to set necessary NameIDFormat?
The NameIDFormat configuration parameter doesn’t specify format in the logout request.
The NameID from the SAML assertion is used as the NameID in the logout request.
This is required as per the SAML v2.0 specification.
For example, the SP receives the following SAML assertion.
<saml:Assertion Version=“2.0” ID=“_aa7124af-1078-4b71-b83c-f2aea2cf88ca”
IssueInstant=“2017-07-06T00:21:52.038Z”
xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>
saml:Issuerhttp://localhost/ExampleIdentityProvider</saml:Issuer>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>idp-user</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData NotOnOrAfter=“2017-07-06T00:24:52.039Z”
Recipient=“<a href=“http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx””>http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx"
InResponseTo=“_2ef2631b-a8b3-42ed-be2e-0241dfcbb254” />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2017-07-06T00:18:52.038Z” NotOnOrAfter=“2017-07-06T00:24:52.038Z”>
saml:AudienceRestriction
saml:Audiencehttp://localhost/ExampleServiceProvider</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2017-07-06T00:21:52.04Z”
SessionIndex=“_aa7124af-1078-4b71-b83c-f2aea2cf88ca”>
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
The logout request sent to the IdP includes the exact same NameID.
<samlp:LogoutRequest ID=“_34a683b9-3ac2-4429-877e-7135bd37101a” Version=“2.0”
IssueInstant=“2017-07-06T00:21:54.153Z”
Destination=“<a href=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx””>http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx"
NotOnOrAfter=“2017-07-06T00:24:54.153Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>
http://localhost/ExampleServiceProvider
</saml:Issuer>
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>idp-user</saml:NameID>
samlp:SessionIndex_aa7124af-1078-4b71-b83c-f2aea2cf88ca</samlp:SessionIndex>
</samlp:LogoutRequest>
As the SP, the NameIDFormat configuration property specifies the NameID policy to include in the SAML authn request sent to the IdP.