Unable to obtain a nice logout from Windows Azure
1,318 views
Skip to first unread message
Julien
Jan 6, 2014, 1:31:14 PM1/6/14
to simple...@googlegroups.com
Happy new year!
Thanks to simpleSAMLphp, I succeed to authenticate to my App through Windows Azure Active Directory and ACS however I can't logout gracefully.
The message from login.windows.net/MYAZUREAPPUID/saml2?SAMLRequest=fZ... is :
Sorry, but we're having trouble signing you out.
We received a bad request. Additional technical information:
Trace ID: f7a9e7b9-37d2-4858-b9e4-211bda9584a3
Timestamp: 2014-01-06 18:11:19Z
ACS75014: An error occurred while processing a SAML logout request.
We received a bad request. Additional technical information:
Trace ID: f7a9e7b9-37d2-4858-b9e4-211bda9584a3
Timestamp: 2014-01-06 18:11:19Z
ACS75014: An error occurred while processing a SAML logout request.
Sign out |
Where the request sent is :
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_41ed995083a2cbeb31f09e08f16e9f080d73e7ca5a"
Version="2.0"
IssueInstant="2014-01-06T18:11:19Z"
Destination="https://login.windows.net/MYUID/saml2"
>
<saml:Issuer>https://MYAPPURL</saml:Issuer>
<saml:NameID>MYNAMEID</saml:NameID>
<samlp:SessionIndex>_a71b3003-9b92-499f-98ba-e6e841139245</samlp:SessionIndex>
</samlp:LogoutRequest>
Do you experience the same ?
Otherwise what is the clue ?
Regards,
Julien.
Olav Morken
Jan 7, 2014, 7:59:03 AM1/7/14
to simple...@googlegroups.com
On Mon, Jan 06, 2014 at 10:31:14 -0800, Julien wrote:
> Happy new year!
>
> Thanks to simpleSAMLphp, I succeed to authenticate to my App through
> Windows Azure Active Directory and ACS however I can't logout gracefully.
> The message from login.windows.net/MYAZUREAPPUID/saml2?SAMLRequest=fZ...
> is :
>
> *Sorry, but we're having trouble signing you out. We received a bad
> Happy new year!
>
> Thanks to simpleSAMLphp, I succeed to authenticate to my App through
> Windows Azure Active Directory and ACS however I can't logout gracefully.
> The message from login.windows.net/MYAZUREAPPUID/saml2?SAMLRequest=fZ...
> is :
>
> request. *
>
>
> * Additional technical information: Trace ID:
> f7a9e7b9-37d2-4858-b9e4-211bda9584a3 Timestamp: 2014-01-06 18:11:19Z
> ACS75014: An error occurred while processing a SAML logout request. *
>
> *Sign out *
>
>
>
>
>
> Where the request sent is :
>
> <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_41ed995083a2cbeb31f09e08f16e9f080d73e7ca5a"
> Version="2.0"
> IssueInstant="2014-01-06T18:11:19Z"
> Destination="https://login.windows.net/MYUID/saml2"
> >
> <saml:Issuer>https://MYAPPURL</saml:Issuer>
> <saml:NameID>MYNAMEID</saml:NameID>
> <samlp:SessionIndex>_a71b3003-9b92-499f-98ba-e6e841139245</samlp:SessionIndex>
> </samlp:LogoutRequest>
>
>
> Do you experience the same ?
> Otherwise what is the clue ?
I have never tested this, but make sure that you have enabled signing
>
>
>
>
> Where the request sent is :
>
> <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_41ed995083a2cbeb31f09e08f16e9f080d73e7ca5a"
> Version="2.0"
> IssueInstant="2014-01-06T18:11:19Z"
> Destination="https://login.windows.net/MYUID/saml2"
> >
> <saml:Issuer>https://MYAPPURL</saml:Issuer>
> <saml:NameID>MYNAMEID</saml:NameID>
> <samlp:SessionIndex>_a71b3003-9b92-499f-98ba-e6e841139245</samlp:SessionIndex>
> </samlp:LogoutRequest>
>
>
> Do you experience the same ?
> Otherwise what is the clue ?
of logout messages. Make sure that you have confiugred a preivate key
and certificate for your SP, and then add:
'sign.logout' => TRUE,
to your SP configuration in config/authsources.php.
Best regards,
Olav Morken
UNINETT / Feide
Julien
Jan 7, 2014, 11:02:07 AM1/7/14
to simple...@googlegroups.com
Thank you Olav for your answer.
I went a step forward.
The Logout signature is now signed in the url :
Microsoft answer is now
Sign out
Sorry, but we're having trouble signing you out.
We are unable to verify this sign-out request.
If you wish to sign-out, you may ignore this error and continue.
Ignore and continueIf you wish to sign-out, you may ignore this error and continue.
Additional technical information:
Trace ID: 3d3ba7f5-218a-4da4-a597-ab677c4ed3ee
Timestamp: 2014-01-07 15:12:46Z
ACS75017: No signature verification credentials found to verify the logout request's signature.
and when I click to continue I get this new message :
Trace ID: 3d3ba7f5-218a-4da4-a597-ab677c4ed3ee
Timestamp: 2014-01-07 15:12:46Z
ACS75017: No signature verification credentials found to verify the logout request's signature.
and when I click to continue I get this new message :
Sign out
Sorry, but we're having trouble signing you out.
We are unable to process this sign-out request because the saml service provider's logout endpoint URL is not configured.
Additional technical information:
Trace ID: 3a23b0fa-e253-40b7-b4c9-26f9093676a8
Timestamp: 2014-01-07 15:49:46Z
ACS75015: Saml relying party's logout endpoint Url is required to process the LogoutRequest.
Trace ID: 3a23b0fa-e253-40b7-b4c9-26f9093676a8
Timestamp: 2014-01-07 15:49:46Z
ACS75015: Saml relying party's logout endpoint Url is required to process the LogoutRequest.
I checked my SP metadata at
and I have the following logout section in the metadata
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://MYSITE/simplesaml/module.php/saml/sp/saml2-logout.php/azure-ad"/>
as well as the certificate embedded.
The luck is that the error message are more clear... but not for me.
Another good idea ?
Thanks in advance,
Julien.
Julien
Jan 10, 2014, 1:51:33 PM1/10/14
to simple...@googlegroups.com
I may be wrong, but I assume that WAAD / ACS is based on ADFS 2.0 work.
Then I found this thread that is talking about the additional prerequisites that Microsoft ask for the logout message.
http://stackoverflow.com/questions/18466316/saml-logoutrequest-processing-failed-on-adfs-server
It may help because, in my case the signature is passed through a GET attribute instead of be embedded in the XML SAML message.
It may help because, in my case the signature is passed through a GET attribute instead of be embedded in the XML SAML message.
As simpleSAMLphp is known to work with ADFS 2.0, there should be options to set it up but I can't find anything on this.
I'm confused.
Any help ?
Julien.
Julien
Jan 10, 2014, 2:44:11 PM1/10/14
to simple...@googlegroups.com
Otherwise It may be earlier in the process.
Microsoft doesn't understand the metadata at the metadat URL then it doesn't find neither the sig key neither the SLO endpoint.
That explains the 2 error message
How could I verify that ?
Olav Morken
Jan 13, 2014, 8:25:47 AM1/13/14
to simple...@googlegroups.com
On Fri, Jan 10, 2014 at 11:44:11 -0800, Julien wrote:
> Otherwise It may be earlier in the process.
> Microsoft doesn't understand the metadata at the metadat URL then it
> doesn't find neither the sig key neither the SLO endpoint.
> That explains the 2 error message
Does your metadata contain the required KeyDescriptor elements? Are you
> Otherwise It may be earlier in the process.
> Microsoft doesn't understand the metadata at the metadat URL then it
> doesn't find neither the sig key neither the SLO endpoint.
> That explains the 2 error message
sure that this was the metadata you uploaded to Azure? (I.e. you didn't
add the key and certificate later?)
> How could I verify that ?
> Le vendredi 10 janvier 2014 19:51:33 UTC+1, Julien a �crit :
> >
> > I may be wrong, but I assume that WAAD / ACS is based on ADFS 2.0 work.
> > Then I found this thread that is talking about the additional
> > prerequisites that Microsoft ask for the logout message.
> >
> > http://stackoverflow.com/questions/18466316/saml-logoutrequest-processing-failed-on-adfs-server
> >
> > It may help because, in my case the signature is passed through a GET
> > attribute instead of be embedded in the XML SAML message.
> > As simpleSAMLphp is known to work with ADFS 2.0, there should be options
> > to set it up but I can't find anything on this.
That stackoverflow answer is incomplete / misleading.
> > I may be wrong, but I assume that WAAD / ACS is based on ADFS 2.0 work.
> > Then I found this thread that is talking about the additional
> > prerequisites that Microsoft ask for the logout message.
> >
> > http://stackoverflow.com/questions/18466316/saml-logoutrequest-processing-failed-on-adfs-server
> >
> > It may help because, in my case the signature is passed through a GET
> > attribute instead of be embedded in the XML SAML message.
> > As simpleSAMLphp is known to work with ADFS 2.0, there should be options
> > to set it up but I can't find anything on this.
The signature isn't embedded in the LogoutResponse if the
LogoutResponse is sent using the HTTP-Redirect binding, which you
are probably using. ADFS 2.0 does support LogoutRequest messages
sent using the HTTP-Redirect binding, so there is no reason to try to
make it use something else.
Thus the signature should be included as a couple of GET parameters.
Reply all
Reply to author
Forward
0 new messages