Reputation: 753
ADFS Single Logout fails with Requester status code
Trying to integrate a SAML service provider application with AD FS. SSO works fine. For SLO the logout fails with 'Requester' status code. There's no logging/tracing information from the event viewer for ADFS service for this specific error. The question had been asked several times before, most of them point to an invalid NameId sent in LogoutRequest. However, the LogoutRequest NameId seems alright.
Also tried storing the session index and send as SessionIndex, but the error was the same.
Here're the relevant messages
AssertionResponse Subject
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_43372d41-c455-4322-970a-db4c1acf73bc"
NotOnOrAfter="2021-03-03T09:41:58.596Z" Recipient="https://myapp.corp2.dev.net:8050/saml2/adfs/acs"/></SubjectConfirmation>
</Subject>
LogoutRequest
<samlp:LogoutRequest Destination="https://adfs.corp2.contoso.net/adfs/ls/"
ID="_5bcedc5e-8847-41c6-95b3-29740f0463ec" IssueInstant="2021-03-03T09:37:03Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://myapp.corp2.dev.net:8050/saml2/adfs/metadata</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
</samlp:LogoutRequest>
LogoutResponse
<samlp:LogoutResponse ID="_85f5200f-179a-40f8-a139-97c482cf2900"
Version="2.0" IssueInstant="2021-03-03T09:37:03.314Z"
Destination="https://myapp.corp2.dev.net:8050/saml2/adfs/logout"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_5bcedc5e-8847-41c6-95b3-29740f0463ec"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
http://adfs.corp2.contoso.net/adfs/services/trust
</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
</samlp:Status>
</samlp:LogoutResponse>
- Can anyone guide as to what could be wrong here?
- ADFS Logs/Debug traces don't have anything on the error. ADFS is a 2012 R2 Datacenter edition. Anyone aware of any updates/patches on a later version (say, Server 2016) that could have resolved similar issues?
Upvotes: 1
Views: 894
Answers (1)
Reputation: 48279
Your NameID is still missing other attributes ADFS requires in logout requests.
In particular, you miss
SPNameQualifierNameQualifierSPProvidedIDSessionIndex
All have to be retrieved from the assertion that comes to your SP upon authentication and then copied to the logout request (consult the LogoutRequest model to find out where to put them).
Technically you can store them as additional claims or properties of the name claim you create at your SP.
Edit 1, doublechecked these. Though I have only ADFS2 at hand (which should not be a problem since SAML2 support is there, too).
The SPProvidedID is not there in the assertion in the first place so it's not in the logout request. Other attributes are there. The signature is also there, note that according to the specs, logout requests have to be signed. Make sure signature's hash algorithm matches the one you set up in ADFS.
An example logout request that is accepted by ADFS:
<samlp:LogoutRequest xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
ID="_g9b2ba1ab-78c0-409e-a009-3fe4941072e2"
Version="2.0" IssueInstant="2021-03-04T08:48:24.198609Z"
Destination="https://adfs.odev1.local/adfs/ls/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://localhost:44307/Account/Logon</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_g9b2ba1ab-78c0-409e-a009-3fe4941072e2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>VuQ...=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XFO/...==</SignatureValue>
</Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="https://localhost:44307/Account/Logon"
NameQualifier="https://adfs.odev1.local/adfs/ls">DEV1\wiktor</saml:NameID>
<samlp:SessionIndex>_cb98e9ca-b3b9-46cb-a30a-5a6980d8703e</samlp:SessionIndex>
</samlp:LogoutRequest>
Upvotes: 1
Related Questions
- How to send SAML 2.0 LogOut Request to ADFS?
- How do you handle the logout process for applications federated with ADFS?
- Signout Request Causing Errors
- Proper LogoutRequest for Single Logout with ADFS IdP
- ADFS 3.0 Single Sign Out not working
- ADFS return logout response with status code "urn:oasis:names:tc:SAML:2.0:status:Requester"
- ADFS 2.0 Single Sign Out Not Signing Out
- SAML LogOutRequest processing failed on ADFS server
- Does ADFS 2 require signed Saml2 Logout requests?
- Destination URI missing from SAML 2 LogoutRequest