Missing NameID in logout request

[Sridhar Devulkar]

A logout request from a SP to my hosted IdP results in an exception
with a message "Missing NameID in logout request".

I checked the LogoutRequest.php and looks like the xml passed is being
searched for "saml_assertion:NameID", but in the xml I have something
like below:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:
2.0:protocol" ID="O0C5648E3CEBE995FAA81D449EF9373E061DB64C"
Version="2.0" IssueInstant="2010-10-07T16:32:39Z" Destination="http://
dev.test.com/saml/saml2/idp/SingleLogoutService.php">
<samlp:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http://dev.test.com/saml/saml2/idp/metadata.php">
_jkfasf080w4r8slafjsdlw30852lsajdfljsalfslfjs29824
</samlp:NameID>
<samlp:SessionIndex xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">
_29234893nsfasml324k92384lsfsfdka3429349sdfs
</samlp:SessionIndex>
<samlp:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://test.mystore.com
</samlp:Issuer>
</samlp:LogoutRequest>

Should the SP change the logout request to match the code in
LogoutRequest.php in the IdP side? Or is there any config that needs
to be set in the IdP side?

Anyone have similar issues please post your solution.

Thanks,
Sri.

[Olav Morken]

The issue isn't directly related to the use of saml_assertion as the
namespace in that location. That namespace prefix is registered with
XPath to refer to "urn:oasis:names:tc:SAML:2.0:assertion". (The
reason it is called "saml_assertion" instead of the more common "saml"
is to work around PHP bug 49490[1].)

The issue is that instead of being in the assertion namespace, the
NameID in that logout request is in the protocol namespace. (Note the
"samlp:"-prefix on the node, which is registered as "urn:oasis:names:
tc:SAML:2.0:protocol" on the LogoutRequest element. Since we look for a
NameID element in the "urn:oasis:names:tc:SAML:2.0:assertion" namespace,
we are unable to locate the element. I also see that the Issuer element
has the same problem.

Another problem with the message is that the Issuer element is in the
wrong place. The Issuer element needs to appear as the first child of
the LogoutRequest element. simpleSAMLphp won't complain about it, since
we don't do schema validation of the messages, but if that SP ever
tries to connect to an IdP that does schema validation, it will reject
the message as being invalid.

[1] http://bugs.php.net/bug.php?id=49490

Regards,
Olav Morken
UNINETT / Feide

[Sridhar Devulkar]

Thanks so much for the reply Olav. I really appreciate it.

When the namespace is changed from protocol to assertion, it does
work, however I was able to confirm that it works only by doing a
local test without SP sending the logout request.

Could it be that the logout request is getting generated with protocol
namespace because the SP is using Sun's implementation of SAML?

Or is the logout request built based on the idp metadata? In the idp
metadata, I found that there is a protocol namespace in the following
tag:

<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
Could this be the reason?

Thanks for all your support,
Sri.

>  smime.p7s
> 3KViewDownload

[Sridhar Devulkar]

I am still struggling to find out how the protocol namespace is
getting generated in the logout request that is sent from the service
provider. And as per the LogoutRequest.php code, it is looking for an
assertion namespace and throws an exception if doesnt find it.

Right now the only way I can move on without any exception is to
modify the LogoutRequest.php code to check for both assertion and
protocol. I do not want to change the code, so trying to find out if
there is any other way to not throw exception.

If anyone had the same issue, please send me your solution.

Thanks,
Sri.

On Oct 8, 11:28 am, Sridhar Devulkar <sridhardevul...@gmail.com>
wrote:

[Olav Morken]

On Fri, Oct 08, 2010 at 11:28:52 -0700, Sridhar Devulkar wrote:
> Thanks so much for the reply Olav. I really appreciate it.
>
> When the namespace is changed from protocol to assertion, it does
> work, however I was able to confirm that it works only by doing a
> local test without SP sending the logout request.
>
> Could it be that the logout request is getting generated with protocol
> namespace because the SP is using Sun's implementation of SAML?

The namespaces are part of the definition of the messages in the SAML
specification. The LogoutRequest message belongs in the protocol
namespace, while the Issuer-element and the NameID-element belongs in
the assertion namespace.

If the SP does not obey these rules, the SP has a severe bug, and it
should be fixed. There is nothing you can change on the IdP to make the
SP use the correct namespace. You can only work around it by changing
the code to look for the elements in a differen namespace. (Note that
doing this means that your IdP will no longer work with other service
providers, since they will send the messages with the correct
namespaces.)

> Or is the logout request built based on the idp metadata? In the idp
> metadata, I found that there is a protocol namespace in the following
> tag:
>
> <md:IDPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> Could this be the reason?

This only indicates that this IdP has support for SAML 2.0.

[Sridhar Devulkar]

Thanks again for your prompt reply Olav. I did read through the SAML
specification and found the XSD for both protocol and assertion. It
is now clear that the SP is not using the SAML specification. I would
definitely send a note to the SP stating the issues and try to resolve
it.

Thanks so much for your support and help.

Sri.

>  smime.p7s
> 3KViewDownload