Bad Request on Sign-Out via SAML2 and Azure AD
Adam_P
Hello,
i'm trying to get a working azure ad and simplesamlphp demo (Test authentication sources). I've found a description how to config simplesamlph on a japanese website:
Sign-In works fine. But i have a problem with sign-out. I get a bad request error when trying to logout:
################################
Sign out
Sorry, but we're having trouble signing you out.
We received a bad request.
Additional technical information:
Trace ID: 5bb91d05-de09-4515-9da6-f2234a0c5c10
Timestamp: 2014-07-30 07:27:03Z
ACS75014: An error occurred while processing a SAML logout request.
#########################################
I have already compared the SAML-Sign Out Message with the description on the following microsoft site:
http://msdn.microsoft.com/en-us/library/azure/dn195588.aspx
Sign-Out in Logfile of SimpleSamlPhp:
Saved state: '_c6effbdebf01c619bfd0d41d1e92752ef61371c7b8'
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] Sending message:
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f12949a3f0b9420237b85bea3e57c0477f55c95bb5" Version="2.0" IssueInstant="2014-07-30T07:27:02Z" Destination="https://login.windows.net/e35df11a-7f8c-444d-8024-e8925a8e02f9/saml2">
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] <saml:Issuer>spn:9c888881-57d0-4a56-77d4-f6d895fad4a8</saml:Issuer>
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] <saml:NameID>2ftgetrtrtksk25353536-dummy</saml:NameID>
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] <samlp:SessionIndex>_6b7e365e-0c56-4659-787878-787878878</samlp:SessionIndex>
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] </samlp:LogoutRequest>
Jul 30 09:27:02 simplesamlphp DEBUG [d0b7412ebe] Redirect to 636 byte URL: https://login.windows.net/a4534e-7f8c-78954-78455-e8925a8e02f9/saml2?SAMLRequest=fZLbTsMwDIZfZep91jRNmoO2SqBpYjAO2gABNyhtEqjoklJnwOPTbSABF1xZsvX99m97AnrTdmoZnsI2ruzr1kIcfWxaD2pfmSbb3qugoQHl9caCirVaH50vFRlj1fUhhjq0yQ%2Fkf0ID2D42wSejxWyaPLqMSCp17nAlKcEk55VgldW5ZbzGlHPHWC1ZVbFkdGt7GMhpMggNOMDWLjxE7eOQwhlFmKMcX2OuCFeYPCSj2eCm8TruqecYO1Bp2oanxo%2FfG2%2FCO4y9janNmXFZphF3okaUUoMEJhRZIQnTwmLiZLrzRpJysotq37wvofNK1oIJKTPEuMGIalYgKQ1FrjCc504bqsUk%2FUkdJC6G3SxmJeniFTu5F8VJey9fNnerGULzNazu5seXy%2FM5O3s7On7uTsnV5c2Xyhc4OVxubWG3lIU39qN8LCpu84JZhOthDlowiSQvOMKYaVfxTBpiDjJ%2FyO%2Fkr0coPwE%3D&RelayState=_c6effbdebf01c619bfd0d41d1e92752ef61371c7b8
I can't find a bug. Does anyone have an idea how can i find what's wrong with the saml sign-out request or does have a working example of saml2 sign-out and azure ad?
I'd greatly appricate your help!
Regards
Bjorn Rohde Jensen
I never worked with Azure nor do i read japanese, but the instructions
look very similar to the steps, i went through hooking a simplesamlphp
sp up to a windows 7 adfs.
Importing ssp sp metadata into the adfs didnt go entirely smoothly,
since the adfs reported problems parsing it. Sign on worked fine, but i
got a very similarly sounding error during log out as you do. After a
lot of investigation and trials, i discovered, that the adfs was simply
using a different hash function than the ssp instance.
Its a wild guess...
Yours sincerely,
Bjorn
Adam_P
Adam_P
Hi,
the solution for my problem was to use the right simplesamlphp federationmetadata.xml.
I have copied the simplesaml federationmetadata.xml (you usually find it under https://localhost/simplesaml/module.php/saml/sp/metadata.php/default-sp) to our public webserver and put in the corresponding URL in the Azure Managment Portal under Application Settings Federation Metadata-URL. Now, it works.