SAML Single Logout + Microsoft ADFS - problem with missing NameID Format, Event ID 368
1,045 views
Skip to first unread message
Jaroslav Kačer
Oct 9, 2017, 12:35:32 PM10/9/17
to Pac4j users mailing list
Hello everybody!
Unfortunately it seems I encountered an issue in PAC4J SAML Single Logout, when using PAC4J 2.0.0 against Microsoft ADFS 2.
On a logout request, I got the following error in the log and the logout request did not succeed:
Event ID 368
The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: urn:idc:authentication:saml2:entity:cas:qa-2016:idcadfs
Request name identifier: Format: , NameQualifier: SPNameQualifier: , SPProvidedId:
Logged-in session participants:
Count: 1,
[ Issuer: urn:idc:authentication:saml2:entity:cas:qa-2016:idcadfs,
NameID: (Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: SPNameQualifier: , SPProvidedId: ) ]
ADFS does not like the difference in the NameID's format. From the original authentication, it remembers it was "urn:oasis:names:tc:SAML:2.0:nameid-format:transient". But the request does not contain it. Here is the relevant piece of the request XML:
...
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">test1@xxxxxxxxx</saml2:NameID>
<saml2p:SessionIndex>_bb12e9c0-97f1-43a0-b409-c353d63fd8b1</saml2p:SessionIndex>
</saml2p:LogoutRequest>
So we can see the Format attribute is missing.
I think this could be fixed somewhere in SAML2LogoutRequestBuilder, probably in buildLogoutRequest() around lines 77-88, but unfortunately I don't know how exactly. Now I don't know where to take the Name ID format from. I see it's not part of SAML2Profile. Should it be? Or is there another place where it should be taken from?
Or maybe should this be solved in a completely different way?
Or, do you think the check on ADFS side could be somehow relaxed? I'm not aware of any way how to do that.
I found a couple of pages discussing this issue, mainly these:
Thank you very much for any comments!
Best Regards,
Jarda
Jérôme LELEU
Oct 10, 2017, 11:11:59 AM10/10/17
to Jaroslav Kačer, Pac4j users mailing list
Hi,
I think it should be part of the SAML2Profile to be re-used for the logout.
That said, it's certainly not what we could call an attribute of the profile as it will only be used for the logout. So we have authentication attributes for such kind of information: https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/profile/UserProfile.java#L89
I have the feeling the SAML logout support is not completely finished.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jaroslav Kačer
Oct 10, 2017, 12:14:27 PM10/10/17
to Pac4j users mailing list
Hi Jerome!
Dne úterý 10. října 2017 17:11:59 UTC+2 Jérôme LELEU napsal(a):
Thank you very much for your prompt reply.
I did some experiments and little fixing, now ADFS does not report any error and returns status code urn:oasis:names:tc:SAML:2.0:status:Success.
Please have a look on this commit: https://github.com/jkacer/pac4j/commit/e47bee0d5e1bac44d824a30685b1f3a96cf15cec
Would you like to have it in PAC4J?
However, that was not enough. By mistake, we were using SHA-256 as the hashing function on the ADFS side for this particular relying party. I knew from the past this is very problematic, although I have no idea what exactly this setting impacts and what data is hashed using this function. Nevertheless, when set to SHA-1, the errors disappeared. It sounds really crazy that a different hashing function can cause an error like that displayed above :-)
Now, the only problem is that ADFS does not clear the session + cookies on successful completion but it seems to be a problem of ADFS itself, not connected to any SAML SP. So I'm still working on it...
Thank you!
Best Regards,
Jarda
Dne úterý 10. října 2017 17:11:59 UTC+2 Jérôme LELEU napsal(a):
Jaroslav Kačer
Oct 11, 2017, 10:31:11 AM10/11/17
to Pac4j users mailing list
Hello everybody!
Here is an update to this issue:
Besides the small fix of NameID attributes mentioned above, everything should be working fine.
Finally we found an error on our side - we were transforming the NameID during login, then the value of NameID we were sending in the Logout Request did not match the original NameID on ADFS. Unfortunately the error in the ADFS log does not show the value of NameID at all, that's why I was focused just on the attributes, not the value itself. My bad!
The type of the hash function set on ADFS should not be relevant, I have no idea why it started giving "Success" yesterday after I switched it. After another change (reload of SAML metadata), it stopped working even with SHA-1. Mystery :-)
Anyway, after a fix in our proprietary code, we should be all set! (The fix above is required.)
Best Regards,
Jarda
Jérôme LELEU
Oct 12, 2017, 11:28:28 AM10/12/17
to Jaroslav Kačer, Pac4j users mailing list
Hi,
Sure. We want pac4j to work with most (if not all) providers. Can you submit a pull request so that others can review it as well?
One thing you should change is the use of the authentication attributes instead of the attributes, as I guess the values you store are more authentication attributes than user profile ones.
Thanks.
Best regard,
Jérôme
Jérôme LELEU
Oct 12, 2017, 11:37:37 AM10/12/17
to Jaroslav Kačer, Pac4j users mailing list
Thanks for the follow-up. Looking forward to your pull request...
--
Jaroslav Kačer
Oct 12, 2017, 12:25:16 PM10/12/17
to Pac4j users mailing list
Hi!
Would you please create a 2.0.x branch in the GitHub repository? I guess it does not exist because there was just one release. I created mine from a snapshot but for the PR I will have to select a target branch. We made the changes into 2.0.x because that's the version CAS 5.1 is currently using.
Would you please create a 2.0.x branch in the GitHub repository? I guess it does not exist because there was just one release. I created mine from a snapshot but for the PR I will have to select a target branch. We made the changes into 2.0.x because that's the version CAS 5.1 is currently using.
Then, if you like the PR, I'll make more for 2.1, 2.2 and master.
As for the attributes, I'll try to examine and change it. At the moment, I don't know what the difference is but I hope to understand it from the code when I look at it again.
Best Regards,
Jarda
Dne čtvrtek 12. října 2017 17:28:28 UTC+2 Jérôme LELEU napsal(a):
Dne čtvrtek 12. října 2017 17:28:28 UTC+2 Jérôme LELEU napsal(a):
Hi,
Jérôme LELEU
Oct 12, 2017, 2:23:49 PM10/12/17
to Jaroslav Kačer, Pac4j users mailing list
Hi,
All 2.x versions are backward compatible, so you can just target the 2.2.x branch and the master.
The difference between authentication attributes and attributes is mostly semantic: both are stored in the user profile, but they have not the same meaning.
Thanks.
Best regards,
Jérôme
--
Jaroslav Kačer
Oct 18, 2017, 10:02:52 AM10/18/17
to Pac4j users mailing list
Hi Jerome!
I have submitted the following pull requests:
- for 2.2.x: https://github.com/pac4j/pac4j/pull/1022
- for master: https://github.com/pac4j/pac4j/pull/1023
They should be identical to what I proposed before, I just used authentication attributes, as you suggested.
May I ask if version 2.2.x will get to CAS 5.1.x? At the moment, version 2.0.0 is used there, that's why I initially patched this for 2.0.x.
And, BTW, I have discovered a very little bug in the PAC4J user action for CAS, I will submit a pull request too and give you a link to it here. It's just one line of code...
Thank you!
Best Regards,
Jarda
Dne čtvrtek 12. října 2017 17:37:37 UTC+2 Jérôme LELEU napsal(a):
Dne čtvrtek 12. října 2017 17:37:37 UTC+2 Jérôme LELEU napsal(a):
Jaroslav Kačer
Oct 18, 2017, 11:52:05 AM10/18/17
to Pac4j users mailing list
Hi again!
Here is the above-mentioned pull request for CAS related to PAC4J client action: https://github.com/apereo/cas/pull/3010
It would be great if you could review it.
It's for 5.1.x but I will prepare it for master too, if you are OK with the change.
Thank you!
Jarda
Dne čtvrtek 12. října 2017 17:37:37 UTC+2 Jérôme LELEU napsal(a):
Dne čtvrtek 12. října 2017 17:37:37 UTC+2 Jérôme LELEU napsal(a):
Thanks for the follow-up. Looking forward to your pull request...
Jérôme LELEU
Oct 19, 2017, 2:15:24 AM10/19/17
to Jaroslav Kačer, Pac4j users mailing list
Hi,
Excellent! I just merged both pull requests.
pac4j 2.x versions are all backward compatible so CAS 5.1.x could upgrade to version 2.2.0: @misagh? Just let me know when/if you need a new release.
Thanks.
Best regards,
Jérôme
Jaroslav Kačer
Oct 19, 2017, 8:23:18 AM10/19/17
to Pac4j users mailing list
Thank you, Jerome!
Dne čtvrtek 19. října 2017 8:15:24 UTC+2 Jérôme LELEU napsal(a):
I would really appreciate if 2.2 got to the next CAS 5.1.x :-)
Jarda
Dne čtvrtek 19. října 2017 8:15:24 UTC+2 Jérôme LELEU napsal(a):
Jérôme LELEU
Nov 23, 2017, 1:41:33 PM11/23/17
to Jaroslav Kačer, Pac4j users mailing list
Hi,
I released pac4j v2.2 today with a couple of fixes for SAML, it should be upgraded in CAS as well.
Thanks.
Best regards,
Jérôme
Jaroslav Kačer
Nov 24, 2017, 9:37:18 AM11/24/17
to Pac4j users mailing list
Dne čtvrtek 23. listopadu 2017 19:41:33 UTC+1 Jérôme LELEU napsal(a):
I released pac4j v2.2 today with a couple of fixes for SAML, it should be upgraded in CAS as well.
Excellent, thank you very much!
Best Regards,
Jarda
Reply all
Reply to author
Forward
0 new messages