signed Single LogOut support

[Frank]

We have a Drupal site fully configured with SimpleSAMLphp 1.8.2 using
the module available for it. The SSO works just fine but the SLO
fails with a 'Requester: Invalid signature'.

We're using PingFederate as the IdP and we're the SP. I tried every
combination of each of the following properties within
authsources.php, on the "default-sp" array, to no success:
'sign.logout' => TRUE,
'redirect.sign' => TRUE,
'sign.authnrequest' => TRUE,

'redirect.validate' => TRUE,
'validate.logout' => TRUE,
'validate.authnrequest' => TRUE,


Our IdP client is saying that we need to provide the <ds:Signature>
(with SignedInfo and SignatureValue) which is not currently being sent
in the <samlp:LogoutRequest>. I browsed the log files and that tag is
never added to the LogoutRequest.

Am I missing something obvious or is signed SLO not supported in
SimpleSAMLphp? Been working on this for a few days and need help.

Thanks,
Frank

[Olav Morken]

On Thu, Feb 23, 2012 at 10:47:06 -0800, Frank wrote:
> We have a Drupal site fully configured with SimpleSAMLphp 1.8.2 using
> the module available for it. The SSO works just fine but the SLO
> fails with a 'Requester: Invalid signature'.
>
> We're using PingFederate as the IdP and we're the SP. I tried every
> combination of each of the following properties within
> authsources.php, on the "default-sp" array, to no success:
> 'sign.logout' => TRUE,
> 'redirect.sign' => TRUE,
> 'sign.authnrequest' => TRUE,
>
> 'redirect.validate' => TRUE,
> 'validate.logout' => TRUE,
> 'validate.authnrequest' => TRUE,

Did you also add the 'privatekey' and 'certificate' options?

> Our IdP client is saying that we need to provide the <ds:Signature>
> (with SignedInfo and SignatureValue) which is not currently being sent
> in the <samlp:LogoutRequest>. I browsed the log files and that tag is
> never added to the LogoutRequest.

The LogoutRequest & LogoutResponse messages are sent using
HTTP-Redirect, which requires the signature to be included in the query
string rather than the XML message. Do you get the "Signature" and
"SigAlg" query parameters?

Best regards,
Olav Morken
UNINETT / Feide

[Frank]

Yes,

Here's the current config as is:

'default-sp' => array(
'saml:SP',
'privatekey' => 'wsits.pem',
'certificate' => 'wsits.crt',

//'certFingerprint' => '33:03:1B:76:A4:4F:FD:22:47:80:3F:
2C:A7:3A:B5:52:22:BE:D5:84',
//'privatekey' => 'sp.example.org.pem',
//'certificate' => 'sp.example.org.crt',

//'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Artifact',
//'privatekey_pass' => 'secretpassword',

// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based
on the metadata URL.
'entityID' => 'WSITS_SP_Staging2',

// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of
available IdPs.
'idp' => 'ClientIdp-Staging',

// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will
be used.
'discoURL' => NULL,


//SLO stuff
'sign.logout' => TRUE,
//'redirect.sign' => TRUE,
//'sign.authnrequest' => TRUE,

//'redirect.validate' => TRUE,
//'validate.logout' => TRUE,
//'validate.authnrequest' => TRUE,
),

[Frank]

Olav,

Is it possible to include the signature in the xml message?

I checked the log and the request does contain SigAlg and Signature.

Here's what we have in the logs (I modified the signature for
protection)

Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] Session:
doLogout('default-sp')
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] Saved state:
'_32b2140f751f708c61e8dfc016fd5314af5e67d035'
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] Sending message:
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] <samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_b17a97a8bc65dfbadfe823937fff7e7bf4249b8c63" Version="2.0"
IssueInstant="2012-02-23T18:28:47Z" Destination="https://
changedForProtection">
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a]
<saml:Issuer>WSITS_SP_Staging2</saml:Issuer>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] <saml:NameID
NameQualifier="ClientIdp-Staging" SPNameQualifier="WSITS_SP_Staging2"
Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:transient">onLjOP8yGi7m6AE6W1yOwoDdAGj</saml:NameID>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a]
<samlp:SessionIndex>xIq8wxETcEPMIIwNx3Vtpg-2sBe</samlp:SessionIndex>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] </
samlp:LogoutRequest>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] Redirect to 1050 byte
URL:
https://changedForProtection.com/idp/SLO.saml2?SAMLRequest=fZJbj4IwEIX%2FCuk7osUVbJTEja5p4m0Xo8m%2BmAKFrYEWOyWy%2F37BS%2BL64NMkZ87XOTPpCFiRl2ShMlWZL36qOBirLnIJ5NIZo0pLohgIIJIVHIiJSThZLgjudEmplVGxytED8ppgAFwboSSy6HSMDlHPY0OP%2BVE8eEvSiCUp97E7dL00TT3uRWkf94eRHw9cZO24hoYco%2BahBgeoOJVgmYE4jgAyjR658zyTHMuoROrwhFJ6YSLdaddAaNg1FZymaGDfUi34S%2BL%2Fz5R8Ac%3D&RelayState=_32b2140f751f708c61e8dfc016fd5314af5e67d035&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=Khxt%2BTCpFARDiTBLUWUmXljSjpoLg%3D%3D
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] Received message:
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] <samlp:LogoutResponse
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://ssotest.wsits.com/sso/module.php/saml/sp/saml2-
logout.php/default-sp"
InResponseTo="_b17a97a8bc65dfbadfe823937fff7e7bf4249b8c63"
IssueInstant="2012-02-23T18:30:45.513Z" ID="hNDbrS-
EIbB0.6EcdVuvbLzd1yx" Version="2.0">
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ClientIdp-Staging</
saml:Issuer>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] <samlp:Status>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a]
<samlp:StatusMessage>Invalid signature</samlp:StatusMessage>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] </samlp:Status>
Feb 23 13:28:47 simplesamlphp DEBUG [f8f2e2067a] </
samlp:LogoutResponse>
Feb 23 13:28:47 simplesamlphp WARNING [f8f2e2067a] Unsuccessful
logout. Status was: exception 'sspmod_saml_Error' with message
'Requester: Invalid signature' in C:\web\simplesamlphp\modules\saml\lib
\Message.php:368
Stack trace:
#0 C:\web\simplesamlphp\modules\saml\www\sp\saml2-logout.php(54):
sspmod_saml_Message::getResponseError(Object(SAML2_LogoutResponse))
#1 C:\web\simplesamlphp\www\module.php(135): require('C:\web
\simplesa...')
#2 {main}

[Olav Morken]

On Fri, Feb 24, 2012 at 08:35:42 -0800, Frank wrote:
> Olav,
>
> Is it possible to include the signature in the xml message?

No. That would be a violation of the specification for the
HTTP-Redirect binding. It would also probably push the message size
beyond the maximum URL size for certain browsers.

Have you verified that the IdP has the correct SP certificate
registered?

[Frank]

Isn't that the same certificate used when logging in? Or the one that
was within the Metadata we give to them?

[Olav Morken]

On Mon, Feb 27, 2012 at 07:45:52 -0800, Frank wrote:
> Isn't that the same certificate used when logging in?

Unless you have enabled signed authentication requests or encrypted
assertions, no SP certificate is used when signing in.

> Or the one that
> was within the Metadata we give to them?

It should be the one that is in the metadata. Some things that can
cause it to fail:

- Changing the certificate & private key after the metadata is loaded
into the IdP.
- Mistake when generating the private key & certificate, so that the
private key does not correspond to the certificate.
- Something changes the URLs, so that the signature is no longer valid.

[Jaikishore Verma]

Hi there,

Do we know what certificate is used to sign the LogoutRequest. Correct me if I am wrong, Token Signing Cert is used to sign the LogoutResponse.