I’ve been wrapping my head around this for days. I’m using VB.net and SHA1. Below is code I wrote to crate the logout request, sign, and the send it…
logoutRequest.Issuer = issuer
logoutRequest.NotOnOrAfter = DateTime.UtcNow.Add(TimeSpan.FromMinutes(10))
logoutRequest.Reason = “urn:oasis:names:tc:SAML:2.0:logout:user”
logoutRequest.NameID = nameID
logoutRequest.ID = localToken.UniqueID
logoutRequest.SessionIndexes.Add(New SessionIndex(localToken.SessionIndex))
logoutRequest.Destination = Tools.ReadAppSettings(“LogoutUrl”)
Dim logoutRequestXml As XmlElement = logoutRequest.ToXml()
SAMLAssertionSignature.Generate(logoutRequestXml, ApplianceEnvironment.Certificate.SSLCert.PrivateKey, ApplianceEnvironment.Certificate.SSLCert)
SingleLogoutService.SendLogoutRequestByHTTPPost(Response, logoutRequest.Destination.ToString(), logoutRequestXml, relayState)
The Certs should be correct. Below is the outerXml of logoutRequest:
<samlp:LogoutRequest ID=“501d481e-98a7-4102-b640-db843f7ebc44” Version=“2.0” IssueInstant=“2017-10-24T23:25:58.265Z” Destination=“<a href=“https://vm-oc1-cd0523.sacustom.local/sloclient2/saml/sloservice.aspx””>https://vm-oc1-cd0523.sacustom.local/sloclient2/saml/sloservice.aspx" Reason=“urn:oasis:names:tc:SAML:2.0:logout:user” NotOnOrAfter=“2017-10-24T23:35:58.265Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://vm-oc1-cd0523.sacustom.local/SecureAuth2/</saml:Issuer>
<saml:NameID xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>jpham</saml:NameID>
samlp:SessionIndex_fc8a91dc-1719-41e4-9d62-6e4f7cc0a981</samlp:SessionIndex>
</samlp:LogoutRequest>
I’m getting the error:
Failed to generate XML signature
inner text: Malformed Refrence Element
Any help would be greatly appreciated. I’ve been banging my head against the walls for days over this.
Instead of calling SAMLAssertionSignature.Generate you need to call SAMLMessageSignature.Generate.
SAMLAssertionSignature.Generate is for signing SAML assertions.
SAMLMessageSignature.Generate is for signing SAML messages including logout requests.
You’re using the SAML low-level API.
If you were to use the SAML high-level this is all handled automatically for you.
SAMLAssertionSignature.Generate is for signing SAML assertions.
SAMLMessageSignature.Generate is for signing SAML messages including logout requests.
You're using the SAML low-level API.
If you were to use the SAML high-level this is all handled automatically for you.
I didn't know I was using the low-level API. How may I start using the high-level API? This is a project I inherited from someone that is no longer a developer.
The high-level API was introduced in 2013. You need v2.5.0 or higher.
If you have existing code using the low-level API or you’re using an earlier release, you might prefer to stick with the low-level API.
The high-level API simplifies the code required in your application to support SAML SSO.
Usually, instead of dozens of lines of code, you’ll only need a few lines of code.
Implementing single logout, especially if you’re the identity provider, can be a bit involved as you have to remember state for each of the service providers for which there’s an SSO session. The high-level API handles all this complexity for you.
For example, to build and send a logout request you would call:
SAMLIdentityProvider.InitiateSLO.
If you have existing code using the low-level API or you're using an earlier release, you might prefer to stick with the low-level API.
The high-level API simplifies the code required in your application to support SAML SSO.
Usually, instead of dozens of lines of code, you'll only need a few lines of code.
Implementing single logout, especially if you're the identity provider, can be a bit involved as you have to remember state for each of the service providers for which there's an SSO session. The high-level API handles all this complexity for you.
For example, to build and send a logout request you would call:
SAMLIdentityProvider.InitiateSLO.
Awesome! I'm going to talk to the team about upgrading, although I'm unsure if we aren't already on the newest version. In either case, thank you so much for the quick responses! Phenomenal reply-time!
You’re welcome.
The following forum post explains how to work out what version you’re on.
https://www.componentspace.com/Forums/31/Determining-the-Component-Version-and-License
The current version as of October 2017 is v2.8.5.
SAMLAssertionSignature.Generate is for signing SAML assertions.
SAMLMessageSignature.Generate is for signing SAML messages including logout requests.
You're using the SAML low-level API.
If you were to use the SAML high-level this is all handled automatically for you.
In he Service provider, I'm receiving the same signed response with the following code...
SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP);
if (isRequest) {
FormsAuthentication.SignOut();
SAMLServiceProvider.SendSLO(Response, null);
}
When I receive an unsigned request, it works. But when the Idp sends a signed logoutrequest, the SP won't sign out anymore. Is there anything different I need to do when receiving "signed logoutrequests" vs "unsigned logoutrequests" ?
No, there shouldn’t be.
Is an exception being thrown?
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
SAMLAssertionSignature.Generate is for signing SAML assertions.
SAMLMessageSignature.Generate is for signing SAML messages including logout requests.
You're using the SAML low-level API.
If you were to use the SAML high-level this is all handled automatically for you.
In he Service provider, I'm receiving the same signed response with the following code...
SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP);
if (isRequest) {
FormsAuthentication.SignOut();
SAMLServiceProvider.SendSLO(Response, null);
}
When I receive an unsigned request, it works. But when the Idp sends a signed logoutrequest, the SP won't sign out anymore. Is there anything different I need to do when receiving "signed logoutrequests" vs "unsigned logoutrequests" ?
[/quote]
Nevermind, it works!
Ok, thanks. I’m glad you got it working.