Logout service help please
Simon Annetts
I am a little confused as how to configure the SLO service to support Internet2 Shib 2.0. Currently I am using simplesamlphp as a SAML2 IdP, and the Internet2 Shib2 daemon on the SP.
On the SP the IdP logout is configured in the xml metadata as follows:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibboleth.networcs.net/SSO/saml2/idp/SingleLogoutService.php"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibboleth.networcs.net/SSO/saml2/idp/SingleLogoutService.php"/>I have tried configuring simplesamlphp in saml20-sp-remote.php as follows:
'name' => 'sandbox-sp1.networcs.net service Provider(s) (shib2.0 Internet2)',
'AssertionConsumerService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
'SingleLogoutService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/POST',
but get the following error from the SP on logout:
opensaml::BindingException
The system encountered an error at Wed Jul 16 10:40:03 2008
To report this problem, please contact the site administrator at simon at ateb.co.uk.
Please include the following message in any email:
opensaml::BindingException at (https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/POST)
Invalid HTTP method (GET).
I then also tried this:'name' => 'sandbox-sp1.networcs.net service Provider(s) (shib2.0 Internet2)',
'AssertionConsumerService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
'SingleLogoutService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect',
but get this error:
opensaml::SecurityPolicyException
The system encountered an error at Wed Jul 16 10:43:17 2008
To report this problem, please contact the site administrator at simon at ateb.co.uk.
Please include the following message in any email:
opensaml::SecurityPolicyException at (https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect)
Security of LogoutResponse not established.
Finally I resort to:
'name' => 'sandbox-sp1.networcs.net service Provider(s) (shib2.0 Internet2)',
'AssertionConsumerService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
'SingleLogoutService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/Logout',
but only get a local logout of that SP (should I be able to do a Global logout???)
Local Logout
Status of Local Logout: Logout was successful.You MUST close your browser to complete the logout
process.
BTW using simplesamlphp svn trunk from 2008-07-10
Many thanks
Simon
-- This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of the Ateb Ltd, unless specifically stated. Mae'r e-bost hwn ac unrhyw atodiad sydd ynghlwm wrtho, yn gyfrinachol. Os yw wedi eich cyrraedd mewn camgymeriad dilëwch ef oddi ar eich system. Peidiwch â defnyddio na datgelu'r wybodaeth mewn unrhyw ffordd a rhowch wybod imi ar unwaith os gwelwch yn dda. Gall y neges gynnwys barn bersonol nad yw o anghenraid yn farn Ateb Cyf, oni ddywedir hynny'n benodol. *********************************** Ateb Ltd. Company No. 3769059 VAT No. 736568987 Registered Address: Marteg House, St. Harmon, Rhayader, Powys LD6 5LG T: 01597 870329 M: 07932 014055 ***********************************
Olav Morken
simpleSAMLphp uses the HTTP-Redirect binding for logout, and therefore
the correct URL should be the second you tried:
https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect
This was the cause of the "opensaml::BindingException" exception.
The error you received when you used the second URL
(opensaml::SecurityPolicyException - Security of LogoutResponse not
established) is most likely caused by Shibboleth expecting the logout
response to be signed.
You have two choices:
- disable the requirement that logout responses are signed. I believe
this is possible, but I am not familiar with Shibboleth, and don't
know how this can be done.
- enable signing of logout requests&responses in simpleSAMLphp. This
can be done by adding 'request.signing' => TRUE, in the metadata for
the IdP (in the saml20-idp-hosted.php metadata file).
--
Olav Morken
On Wed, Jul 16, 2008 at 11:17:26 +0100, Simon Annetts wrote:
> Hi all,
>
> I am a little confused as how to configure the SLO service to support
> Internet2 Shib 2.0. Currently I am using simplesamlphp as a SAML2 IdP,
> and the Internet2 Shib2 daemon on the SP.
> On the SP the IdP logout is configured in the xml metadata as follows:
>
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibboleth.networcs.net/SSO/saml2/idp/SingleLogoutService.php"/>
> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibboleth.networcs.net/SSO/saml2/idp/SingleLogoutService.php"/>
>
> I have tried configuring simplesamlphp in saml20-sp-remote.php as follows:
>
> 'name' => 'sandbox-sp1.networcs.net
> service Provider(s) (shib2.0 Internet2)',
> 'AssertionConsumerService' =>
> 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
> 'SingleLogoutService' =>
> 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/POST',
>
> but get the following error from the SP on logout:
>
>
> opensaml::BindingException
>
> The system encountered an error at Wed Jul 16 10:40:03 2008
>
> To report this problem, please contact the site administrator at simon
> Please include the following message in any email:
>
> opensaml::BindingException at
> (https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/POST)
>
> Invalid HTTP method (GET).
>
> I then also tried this:
>
> 'name' => 'sandbox-sp1.networcs.net
> service Provider(s) (shib2.0 Internet2)',
> 'AssertionConsumerService' =>
> 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
> 'SingleLogoutService' =>
> 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect',
>
> but get this error:
>
>
> opensaml::SecurityPolicyException
>
> The system encountered an error at Wed Jul 16 10:43:17 2008
>
> To report this problem, please contact the site administrator at simon
> Please include the following message in any email:
>
> opensaml::SecurityPolicyException at
> (https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect)
>
> Security of LogoutResponse not established.
>
>
> Finally I resort to:
>
> 'name' => 'sandbox-sp1.networcs.net
> service Provider(s) (shib2.0 Internet2)',
> 'AssertionConsumerService' =>
> 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
> 'SingleLogoutService' =>
> 'https://sandbox-sp1.networcs.net/Shibboleth.sso/Logout',
>
> but only get a local logout of that SP (should I be able to do a Global
> logout???)
>
>
> Local Logout
>
>
> You *MUST* close your browser to complete the logout process.
Simon Annetts
I did think it might be something to do with signing; my full config for
this remote SP follows and as you can see signing is enabled. (and
seems to work for other types of request).
Is signing of logout requests working properly in current version?
Thanks
Simon
'https://sandbox-sp1.networcs.net'=> array(
'name' => 'Sandbox 1 service Provider (shib2.0 Internet2)',
'AssertionConsumerService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/SAML2/POST',
'SingleLogoutService' => 'https://sandbox-sp1.networcs.net/Shibboleth.sso/Logout',
'simplesaml.nameidattribute' => 'uid',
'base64attributes' => false,
'simplesaml.attributes' => true,
'request.signing' => true,
'certificate' => "networcs.net.crt"
Olav Morken wrote:
> Hi,
>
> simpleSAMLphp uses the HTTP-Redirect binding for logout, and therefore
> the correct URL should be the second you tried:
> https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect
> This was the cause of the "opensaml::BindingException" exception.
>
> The error you received when you used the second URL
> (opensaml::SecurityPolicyException - Security of LogoutResponse not
> established) is most likely caused by Shibboleth expecting the logout
> response to be signed.
>
> You have two choices:
> - disable the requirement that logout responses are signed. I believe
> this is possible, but I am not familiar with Shibboleth, and don't
> know how this can be done.
> - enable signing of logout requests&responses in simpleSAMLphp. This
> can be done by adding 'request.signing' => TRUE, in the metadata for
> the IdP (in the saml20-idp-hosted.php metadata file).
>
>
>
--
This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of the Ateb Ltd, unless specifically stated.
Olav Morken
It appears to sign logout requests/responses, however, the
request.signing option must be set in the metadata for the IdP
(in saml20-idp-hosted.php) for it to work.
--
Olav Morken
Simon Annetts
expected.
Simon
Olav Morken wrote:
> It appears to sign logout requests/responses, however, the
> request.signing option must be set in the metadata for the IdP
> (in saml20-idp-hosted.php) for it to work.
>
>
--
This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of the Ateb Ltd, unless specifically stated.
Simon Annetts
I did a test where I go to SP number 1 (www.networcs.net) and log in on the IdP. All OK. Then I go to SP number 2 (sandbox-sp1.networcs.net) and as expected go straight in as I'm already authenticated on the IdP.
Now on SP 2 I logout. This works fine and I'm redirected to the IdP, (and then not sure where and in what order) but then end up back on SP1 with this error:
xmltooling::ValidationException
The system encountered an error at Wed Jul 16 16:28:03 2008
To report this problem, please contact the site administrator at si...@ateb.co.uk.
Please include the following message in any email:
xmltooling::ValidationException at (https://www.networcs.net/Shibboleth.sso/SLO/Redirect)
SessionIndex must have TextContent.
here is the simplesamlphp log extract:
Jul 16 16:28:13 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 - IdP.SingleLogoutService: Got IdP entity id: https://shibboleth.networcs.net/SSO/shibboleth Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 - IdP.SingleLogoutService: Got SAML reuqest Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect validateQuery(): Looking up metadata issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect validateQuery(): All required paramaters received. Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect validateQuery(): Built query: SAMLRequest=fZFPa8MwDMW%2FSvC9tZ1%2FrU0TGPRS6BgsY4ddhh2rTSC1PcvZ%2BvGXtGy0O%2Bwm%0AJD2990MbVKfBy707ujE%2Bw8cIGJPzabAoL5OKjMFKp7BHadUJUMZWNg%2BPe5ku%0AmfTBRde6gSTbSddbFXtnK9LF6FFSil2vtRsgdksL8cuFFueCNs0Tna%2BntDee%0ANr09DnBN0ED47FtY%2Bs6TZLetyHtWMsWzA2fQasW51nlhSi5EysS61Syf1hBH%0A2FmMysaKpIytF2y14OULL2QqZMrfSPIKAS%2FRptSk3szm8qILN7D%2FsypECDMf%0AqX%2F5lDXanRfo%2BR3ght4YXN28bADnCDtr4Fy%2FCwO6FBqMUGWhTJmp1aEocp3l%0AE%2BWaHyArc1OIzOTXY3%2F0P827v9Xf%0A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1 Jul 16 16:28:13 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SingleLogoutService: Valid signature found for _360a13f10ecba11bb45d61992098cb04 Jul 16 16:28:13 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from https://sandbox-sp1.networcs.net Jul 16 16:28:13 simpleSAMLphp 5 STAT [b22e2a05eb] saml20-idp-SLO spinit https://sandbox-sp1.networcs.net https://shibboleth.networcs.net/SSO/shibboleth Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Session: doLogout() Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 - IDP.SingleLogoutService: Setting cached request with issuer https://sandbox-sp1.networcs.net Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Setting SP state completed for : https://sandbox-sp1.networcs.net Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions: https://www.networcs.net status: 1 Jul 16 16:28:13 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions: https://sandbox-sp1.networcs.net status: 3 Jul 16 16:28:13 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IDP.SingleLogoutService: Logout next SP https://www.networcs.netI can see that the IdP seems to know about both SPs but fails to logout of the one I first logged in to. Any ideas?
Thanks again
Simon
Olav Morken wrote:
It appears to sign logout requests/responses, however, the request.signing option must be set in the metadata for the IdP (in saml20-idp-hosted.php) for it to work.
-- This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of the Ateb Ltd, unless specifically stated. Mae'r e-bost hwn ac unrhyw atodiad sydd ynghlwm wrtho, yn gyfrinachol. Os yw wedi eich cyrraedd mewn camgymeriad dilëwch ef oddi ar eich system. Peidiwch â defnyddio na datgelu'r wybodaeth mewn unrhyw ffordd a rhowch wybod imi ar unwaith os gwelwch yn dda. Gall y neges gynnwys barn bersonol nad yw o anghenraid yn farn Ateb Cyf, oni ddywedir hynny'n benodol. *********************************** Ateb Ltd. Company No. 3769059 VAT No. 736568987 Registered Address: Marteg House, St. Harmon, Rhayader, Powys LD6 5LG T: 01597 870329 M: 07932 014055 ***********************************
Olav Morken
I believe I found the bug which caused this, and have committed a fix.
Could you try the latest version from subversion?
--
Olav Morken
On Wed, Jul 16, 2008 at 16:39:05 +0100, Simon Annetts wrote:
> Argh, I spoke too soon !!!
>
> I did a test where I go to SP number 1 (www.networcs.net) and log in on
> the IdP. All OK. Then I go to SP number 2 (sandbox-sp1.networcs.net) and
> as expected go straight in as I'm already authenticated on the IdP.
>
> Now on SP 2 I logout. This works fine and I'm redirected to the IdP,
> (and then not sure where and in what order) but then end up back on SP1
> with this error:
>
>
> xmltooling::ValidationException
>
> The system encountered an error at Wed Jul 16 16:28:03 2008
>
> To report this problem, please contact the site administrator at
Simon Annetts
Thanks for the fast commit -
I just tried the latest version, but I'm not sure if its working properly or not as I am still confused about the difference between Local and Global Logout and the scope of a global logout.
I now no longer get the error I reported before, however I only get logged out on the SP which initiated the logout. (before the sessions for all SPs were being destroyed on the IdP)
Is this the right behaviour?
Here is the message I get from the SP:
Global Logout
Status of Global Logout: Global logout completed.
If the message above indicates success, you have been logged out of all the applications and systems that support the logout mechanism.
It is still strongly advised that you close your browser to complete
the
logout process.
--
The message implies that I should get logged out of all sessions but
the following test sequence shows otherwise:
1. Go to SP1
2. redirect to, authenticate and log in at IdP
3. get redirected back to SP1 ok.
4. Log in to SP2
5. redirect to, pass login check at IdP
6. get redirected back to SP2 ok
7. Logout from SP2
8. redirect to, and have session for SP2 closed on IdP
9. Rediect back to global logout page on SP2
10. Go to SP1
11. Redirect to IdP and get redirected back to SP1 still authenticated.
I've seen conflicting writeups on the Internet about how global
logouts should work, some say saml2 does support it, others that it
doesn't.
Here is an excerpt written by Oracle :-)
Single Logout Profile - This is a SAML 2.0 and Liberty ID-FF profile that provides support for a global logout. The IdP keeps a list of all the SPs that a user has been authenticated to. When a user requests a global logout, the IdP sends to each SP the user is logged in to a request that logs the user out. The following steps illustrate the steps for this profile. The user (or a trusted provider) requests a global logout. The IdP sends a logout request to one of the SPs or IdPs that the user is logged into. The IdP then receives a logout response from the provider to whom it sent the message. The IdP then sends the next logout request to the next provider the user is authenticated to and waits for a logout response. This is repeated until the IdP receives logout responses to all the providers where the user is authenticated. Then the IdP will log the user out locally and present a logout screen to the user. Oracle Identity Federation supports both IdP and SP-initiated single logoutAnyway, maybe you can set me straight on this :-)
Thanks again
Simon
Olav Morken wrote:
Hi Simon, I believe I found the bug which caused this, and have committed a fix. Could you try the latest version from subversion?
-- This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of the Ateb Ltd, unless specifically stated. Mae'r e-bost hwn ac unrhyw atodiad sydd ynghlwm wrtho, yn gyfrinachol. Os yw wedi eich cyrraedd mewn camgymeriad dilëwch ef oddi ar eich system. Peidiwch â defnyddio na datgelu'r wybodaeth mewn unrhyw ffordd a rhowch wybod imi ar unwaith os gwelwch yn dda. Gall y neges gynnwys barn bersonol nad yw o anghenraid yn farn Ateb Cyf, oni ddywedir hynny'n benodol. *********************************** Ateb Ltd. Company No. 3769059 VAT No. 736568987 Registered Address: Marteg House, St. Harmon, Rhayader, Powys LD6 5LG T: 01597 870329 M: 07932 014055 ***********************************
Olav Morken
In simpleSAMLphp we try to log tue user out of all SPs when receiving a
logout request. This means that the logout operation in steps 7-9
should look like this:
--> Logout from SP2
SP2 --[LogoutRequest]--> IdP
IdP --[LogoutRequest]--> SP1
SP1 --[LogoutResponse]--> IdP
IdP --[LogoutResponse]--> SP2
--> SP2 shows logout completed page.
Note that every request and response are send by using redirects, and
you should not see any of them unless you have enabled debug mode, or
have disabled automatic redirects in your browser.
This sequence is what i see here when doing this, and the redirect to
the IdP in step 11 suggests that the same has happened in your test. If
SP1 hadn't received a logout request from the IdP, it should not have
contacted the IdP again to get authenticated.
The error seems to be that the IdP for some reason authenticates the
user user without asking for username and password in step 11. I am not
able to reproduce this behavior here. What method of authentication do
you use? What do the logs from the IdP say?
--
Olav Morken
On Thu, Jul 17, 2008 at 11:28:50 +0100, Simon Annetts wrote:
> Hi Olav,
> Thanks for the fast commit -
> I just tried the latest version, but I'm not sure if its working
> properly or not as I am still confused about the difference between
> Local and Global Logout and the scope of a global logout.
> I now no longer get the error I reported before, however I only get
> logged out on the SP which initiated the logout. (before the sessions
> for all SPs were being destroyed on the IdP)
> Is this the right behaviour?
> Here is the message I get from the SP:
>
>
> Global Logout
>
> *Status of Global Logout:* Global logout completed.
Simon Annetts
thanks once again for your time on this.
I ran the test again with debug mode on and log capture and got lots of
output :-)
we are using a custom authentication module that uses Mysql and asks the
user for a username first, then either a password or a series of picture
question/answers depending on how their account is setup. (i.e. for very
young pupils we let them choose favourite picture items instead of them
remembering complicated passwords)
but it is heavily based on the ldap auth module
SP1 login (sandbox-sp1.networcs.net):
----------
Jul 17 13:37:16 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 17 13:37:16 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 17 13:37:16 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 13:37:16 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fVFLb4MwDP4rKPc2PCqgUUFC5YK0l8a0Qy9TAp6IFJIsDmv37wftNrWX3WzZ%0A%2Fl7eIR%2BVZdXkB%2F0MHxOgD06j0sjOg4JMTjPDUSLTfARkvmNtdX%2FH4nXIrDPe%0AdEaRoEIE56XRe6NxGsG14D5lB43u4VSQiAT1jCw1X3YKMnhvkVGKgxTCKPDD%0AWoM%2FGtfhUtC2faQLf0xlb5fuB25tB0uCpi7IW5Zs8vcsj0WeJmGSpiHwbQqJ%0A6CPRAQcxryFOswD0XPuCxGGYr8JsFWUvUcySlG22BxK8gsOzotkOKXcLJzvf%0AuasU%2Fg%2BB%2F1on5Z8trnthTiu00Y2vHb0iuLBZ9jAjNvWTUbL7CiqlzHHvgHtY%0AUqPl5eT2QeU3%0A&RelayState=cookie&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 13:37:16 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 13:37:16 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Valid signature found for _7348f782b86303660ea96e3bd1bceaeb
Jul 17 13:37:16 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Incomming Authentication request: https://sandbox-sp1.networcs.net id
_7348f782b86303660ea96e3bd1bceaeb
Jul 17 13:37:16 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs thisauthority:null
isauthenticated:no remainingtime:22291
Jul 17 13:37:16 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Will go to authentication module auth/networcs_auth2/index.php
Jul 17 13:37:16 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set
authnrequest saml2 time:1216298236 size:4 id:
_7bd942dfdeb1a7aff1e0df11cb3b8626608c52ee2d
Jul 17 13:37:16 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::userNameForm
Jul 17 13:37:27 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::getPasswordForm
Jul 17 13:37:43 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::authPassword (=1)
Jul 17 13:37:43 simpleSAMLphp 5 STAT [b22e2a05eb] AUTH-networcs_auth2
Query DB for Attributes:
...sql debug info removed for clarity
Jul 17 13:37:43 simpleSAMLphp 5 STAT [b22e2a05eb] AUTH-networcs_auth2
Attributes returned:
...attribute list removed for clarity
Jul 17 13:37:43 simpleSAMLphp 6 [b22e2a05eb] AUTH-networcs_auth2: sa105
successfully authenticated
Jul 17 13:37:43 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set
authenticated yes authority:login-networcs
Jul 17 13:37:43 simpleSAMLphp 7 [b22e2a05eb] Session:
doLogin("login-networcs")
Jul 17 13:37:43 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set nameID:
Jul 17 13:37:43 simpleSAMLphp 5 STAT [b22e2a05eb] AUTH-networcs_auth2 OK
sa105
Jul 17 13:37:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 17 13:37:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Got incomming authentication ID
Jul 17 13:37:43 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Get
authnrequest from cache saml2 time:1216298263 id:
_7bd942dfdeb1a7aff1e0df11cb3b8626608c52ee2d
Jul 17 13:37:43 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs
thisauthority:login-networcs isauthenticated:yes remainingtime:28800
Jul 17 13:37:43 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Adding
SP session: https://sandbox-sp1.networcs.net
Jul 17 13:37:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Sending back AuthnResponse to https://sandbox-sp1.networcs.net
Jul 17 13:37:43 simpleSAMLphp 4 [b22e2a05eb] Could not get realm
attribute to log [realm]
Jul 17 13:37:43 simpleSAMLphp 5 STAT [b22e2a05eb] saml20-idp-SSO
https://sandbox-sp1.networcs.net
https://shibboleth.networcs.net/SSO/shibboleth NA
-------------
SP1 Logged in
SP2 Login (www.networcs.net):
----------
Jul 17 13:41:08 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 17 13:41:08 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata issuer:https://www.networcs.net in
set saml20-sp-remote
Jul 17 13:41:08 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 13:41:08 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fVFLb4MwDP4rKPc2AbSmjQAJtZdKe2lMO%2BwyBXBFpJBkcRjdvx%2B0q9ReerNl%0A%2B3s5Q9lrJ8ohdOYNvgfAEB17bVCcBjkZvBFWokJhZA8oQiOq8ulRJEsmnLfB%0ANlaTqEQEH5Q1W2tw6MFX4H9UA3vTwjEnMYl2E7Iyct7JSReCQ0EpdqqurYbQ%0ALQ2E0foG54JW1Qud%2BROqWjd3%2F3BL1zkS7Xc5%2BeIrmcQS0pbV9YHFcvPQrjZQ%0AH1Kecr5mybSGOEwCMEgTcpIwtl4wvoj5e5yIdC0Y%2FyTRB3g8KZrskCKbOcXp%0Azl%2BlcD8EebFOioutcRxv%2FGT0CvjM4sTzhLTfvVqtmt%2Bo1NqOWw8ywJwWLc4n%0At48p%2FgA%3D%0A&RelayState=cookie&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 13:41:08 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 13:41:08 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Valid signature found for _76a21ae3d0bbf01a95d69ebf37377802
Jul 17 13:41:08 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Incomming Authentication request: https://www.networcs.net id
_76a21ae3d0bbf01a95d69ebf37377802
Jul 17 13:41:08 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs
thisauthority:login-networcs isauthenticated:yes remainingtime:28595
Jul 17 13:41:08 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Adding
SP session: https://www.networcs.net
Jul 17 13:41:08 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Sending back AuthnResponse to https://www.networcs.net
Jul 17 13:41:08 simpleSAMLphp 4 [b22e2a05eb] Could not get realm
attribute to log [realm]
Jul 17 13:41:08 simpleSAMLphp 5 STAT [b22e2a05eb] saml20-idp-SSO
https://www.networcs.net https://shibboleth.networcs.net/SSO/shibboleth NA
-------------
SP2 Logged in
All as expected. Now for the logout:
SP2 Logout (www.networcs.net):
-----------
Jul 17 13:42:26 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got IdP entity id:
https://shibboleth.networcs.net/SSO/shibboleth
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got SAML reuqest
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata issuer:https://www.networcs.net in
set saml20-sp-remote
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fZHPa4MwFMf%2FFcm9jYk2jaEKg14KHYM5dtilxPisAZs4X5z981dbCu0Ouz3y%0A3vfHh2xQn7pe7f3Rj%2BEdvkfAEJ1PnUN13eRkHJzyGi0qp0%2BAKhhVvrzuFV%2FG%0Aqh988MZ3JNpedNbpYL3LSRtCj4pSbG1V%2BQ5Cu3QQJj8YnAdalm90dufU1j0t%0ArTt2cGtQwvBjDSz7tifRbpuTg64qabjURuhGaC5inqUrA6KpGymYlJczxBF2%0ADoN2ISc8juUiXi%2FY%2BoNxlWSKyy8SfcKA12qX1qTYzOHqqhseYP9n1YgwzHyk%0AuPNN0%2FQEtqEPxreUXpWAc%2FTO1XAuDkltqopBkyQmrbIkEWkqpIibbMVrwRjo%0AOs2AAc%2FYzeyP%2Fv749F%2FFLw%3D%3D%0A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 13:42:26 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Valid signature found for
_abb8c28ac6af6a2602945ce6fdf86188
Jul 17 13:42:26 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: got Logoutrequest from https://www.networcs.net
Jul 17 13:42:26 simpleSAMLphp 5 STAT [b22e2a05eb] saml20-idp-SLO spinit
https://www.networcs.net https://shibboleth.networcs.net/SSO/shibboleth
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Session: doLogout()
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Setting cached request with issuer
https://www.networcs.net
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Setting
SP state completed for : https://www.networcs.net
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://sandbox-sp1.networcs.net status: 1
Jul 17 13:42:26 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://www.networcs.net status: 3
Jul 17 13:42:26 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Logout next SP https://sandbox-sp1.networcs.net
SAML Debug:
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_9a81b3d44c2b49f89fd368e477b2a947658b304d01" Version="2.0"
Destination="https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect"
IssueInstant="2008-07-17T12:42:26Z">
<saml:Issuer
>https://shibboleth.networcs.net/SSO/shibboleth</saml:Issuer>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="https://sandbox-sp1.networcs.net">_8c71ae62fb58a3290880a0f457bc81f6cb56b3635a</saml:NameID>
<samlp:SessionIndex>_3dcbb1ef33c4b9336446860f952d611ead49e1e291</samlp:SessionIndex>
</samlp:LogoutRequest>
[send response]
Jul 17 13:44:02 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got IdP entity id:
https://shibboleth.networcs.net/SSO/shibboleth
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got SAML response
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: SAML response parsed. Issuer is:
https://sandbox-sp1.networcs.net
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLResponse=rVJNb4MwDP0rKPdCCFAgapGmdYdKrSaVaoddpgBuQaJJFoetP398qFW59LRb%0A7NjvPT97heLSar5TZ9XZA6BWEsG5XlqJfPxak85IrgQ2yKW4AHJb8vxlv%2BPM%0ApVwbZVWpWuJsAG0jhW2UXJPaWo3c87BuikK1YGtXgv1VpsTh4eX5uzegM6%2Bp%0AtJc38tzCJCEH89OU4OpaE2e7WZOvWFRp4IuYRSyA5YmyIDmFKS2TlPpJGUFf%0AJm%2FCj6pvSEXiF0EVhiUrwvSUpKcqWCYQxnHBRBrGyygpAhpW1O9bETvYSrRC%0A2jVhlCYLGi%2F8%2BOgzHgY8iD6J8wEGx6n6gUm2GnTzsc88%2BPTcJoEIZrCGZHdr%0AhKwKdV2g9mferLwHgolN89wK2%2BE8elUVOB%2Bi7eA5N47V%2FADfXb8iMOQ%2FYDYg%0AG6iIl01yH8Hm8HtAFGfI3oxRxunPpewT%2Fb4dMwG5c4Bb%2BTx7D%2Bdnmv0B%0A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 13:44:02 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Valid signature found
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Setting
SP state completed for : https://sandbox-sp1.networcs.net
Jul 17 13:44:02 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: got LogoutResponse from
https://sandbox-sp1.networcs.net
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://sandbox-sp1.networcs.net status: 3
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://www.networcs.net status: 3
Jul 17 13:44:02 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: LogoutService: All SPs done
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Found logout info with these keys: Issuer,RequestID
Jul 17 13:44:02 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Session Size before cleaning: 8248
Jul 17 13:44:02 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Cleaning
Session. Clean cache: no
Jul 17 13:44:02 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Session Size after cleaning: 7978
SAML Debug:
<samlp:LogoutResponse
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_229685dfc0f9c7f6ff829d89d875c55364d52dcdd6" Version="2.0"
IssueInstant="2008-07-17T12:44:02Z"
Destination="https://www.networcs.net/Shibboleth.sso/SLO/Redirect"
InResponseTo="_abb8c28ac6af6a2602945ce6fdf86188">
<saml:Issuer>https://shibboleth.networcs.net/SSO/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode>
<samlp:StatusMessage>Successfully logged out from service
https://shibboleth.networcs.net/SSO/shibboleth</samlp:StatusMessage>
</samlp:Status>
</samlp:LogoutResponse>
[send response]
end up on Global logout page on www.networcs.net (SP2)
Looking at the logs it seems that your explaination of what happens is
working -
--> Logout from SP2
SP2 --[LogoutRequest]--> IdP
IdP --[LogoutRequest]--> SP1
SP1 --[LogoutResponse]--> IdP
IdP --[LogoutResponse]--> SP2
--> SP2 shows logout completed page.
I would have expected to see more SAML debug screens though however.
Now when I go back to SP1 (sandbox-sp1.networcs.net) I am allowed access
without any authentication
(I was incorrect previously in my assumption that a call was made to the
IdP, actually no logs or saml debug is generated)
So presumably the logout request that the IdP made to SP1 iwas broken
and was ignored or the Shib2.0 SP is broken and is not removing
the session? I can't tell from the logs however.
If I now log out on SP1 (sandbox-sp1.networcs.net) I get the following:
Jul 17 14:06:27 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got IdP entity id:
https://shibboleth.networcs.net/SSO/shibboleth
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got SAML reuqest
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fZFBa8MwDIX%2FSvC9tR0nbmKawKCXQsdgGTvsMuxYbQKp7UXO1p%2B%2FpmWj3WE3%0AIenpvQ%2BtUR%2BHoHb%2B4Kf4DB8TYExOx8GhukwqMo1OeY09KqePgCq2qnl43Kl0%0AyVQYffStH0iyOet6p2PvXUW6GAMqSrHrjfEDxG7pIH75scW5oE3zROfrKe1t%0AoE3vDgNcEzQwfvYtLEMXSLLdVORdF2nRMl5Iw3KRgRY6N9boIhNSGpmz8xri%0ABFuHUbtYkZSxYsFWC7564UKxXOXyjSSvMOIl2jk1qdezubroxhvY%2F1k1Iowz%0AH6l%2F%2BbSzxp8WGPgd4JreGFzdgmoA5whbZ%2BFUvwvbGsNhL0SbmVIImWWykGxf%0A5qmVnIO2WQkc0pJfj%2F3R%2FzTv%2FlZ%2FAw%3D%3D%0A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 14:06:27 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Valid signature found for
_a828c0186b0534ea3a5bdba84366b650
Jul 17 14:06:27 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: got Logoutrequest from
https://sandbox-sp1.networcs.net
Jul 17 14:06:27 simpleSAMLphp 5 STAT [b22e2a05eb] saml20-idp-SLO spinit
https://sandbox-sp1.networcs.net
https://shibboleth.networcs.net/SSO/shibboleth
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Session: doLogout()
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Setting cached request with issuer
https://sandbox-sp1.networcs.net
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Setting
SP state completed for : https://sandbox-sp1.networcs.net
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://sandbox-sp1.networcs.net status: 3
Jul 17 14:06:27 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: LogoutService: All SPs done
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Found logout info with these keys: Issuer,RequestID
Jul 17 14:06:27 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Session Size before cleaning: 8024
Jul 17 14:06:27 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Cleaning
Session. Clean cache: no
Jul 17 14:06:27 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Session Size after cleaning: 7978
SAML Debug:
<samlp:LogoutResponse
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_aa5b14b1286a560de3c3cfd18500eb6a5cbebc4e97" Version="2.0"
IssueInstant="2008-07-17T13:06:27Z"
Destination="https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect"
InResponseTo="_a828c0186b0534ea3a5bdba84366b650">
<saml:Issuer>https://shibboleth.networcs.net/SSO/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode>
<samlp:StatusMessage>Successfully logged out from service
https://shibboleth.networcs.net/SSO/shibboleth</samlp:StatusMessage>
</samlp:Status>
</samlp:LogoutResponse>
[This is where it starts to look odd:]
Jul 17 14:07:37 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 17 14:07:37 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 17 14:07:37 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 14:07:37 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fVFLa8MwDP4rwffWdrM2xTSB0F4Ke7GMHXYZtiOIwbE9y1m7f7%2Bk3UZ76U1C%0A0vfSBmVvg6iH1LkX%2BBwAU3bsrUNxGpRkiE54iQaFkz2gSFo09cO9WMyZCNEn%0Ar70lWY0IMRnvtt7h0ENsIH4ZDXvXwrEknGS7Edk4Oe2UpEspoKAUO6OUt5C6%0AuYN08FHjVNCmeaIT%2F4KaNkzdL9w8dIFk%2B11JPiRr73Kd5yu9LvSq4EoylS%2FV%0AcgWsXfJCjWuIwygAk3SpJAvG1jNWzHjxynPBCsHZO8neIOJJ0WiHVJuJU5zu%0A4kUKt0OQf9ZJ9W9Lulb54wwDv%2FK1oRcEZ7YgHkfE%2Fe7ZW6O%2Fs9paf9hGkAmm%0A1Gh1Prl%2BUPUD%0A&RelayState=cookie&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 14:07:37 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 14:07:37 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Valid signature found for _a0d43c336c87c671ba0b35b56e0d517b
Jul 17 14:07:37 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Incomming Authentication request: https://sandbox-sp1.networcs.net id
_a0d43c336c87c671ba0b35b56e0d517b
Jul 17 14:07:37 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs thisauthority:null
isauthenticated:no remainingtime:27006
Jul 17 14:07:37 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Will go to authentication module auth/networcs_auth2/index.php
Jul 17 14:07:37 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set
authnrequest saml2 time:1216300057 size:4 id:
_eb8815515fe7b5504f82af8fa35f51fde957229394
Jul 17 14:07:37 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::userNameForm
Jul 17 14:07:38 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 17 14:07:38 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 17 14:07:38 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 17 14:07:38 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fVFLb4MwDP4rKPc2CRuFRQUJlQvSXhpTD7tMASwRKSRZHNbu3w%2FabWovu9my%0A%2Fb28RTlqJ8opDOYFPibAEB1HbVCcBjmZvBFWokJh5AgoQiea8uFexGsmnLfB%0AdlaTqEQEH5Q1O2twGsE34D9VB7Xp4ZgTTqJqRlZGLjs5GUJwKCjFQbWt1RCG%0AtYFwsL7DpaBN80QX%2Fpiq3i3dD9zaDY5EdZWT94QzvtlAlkGWJKztJY%2BTNmby%0A9o6zLAWY1xCnWQAGaUJOYsayFUtXPH3lN4KlgvM3Eu3B40nRbIcU24VTnO78%0ARQr%2FhyB%2FrZPiz5Y0fWuPK3T8yteWXhCc2Zx4nBHr6tlq1X1Fpdb2sPMgAyyp%0A0eJ8cv2g4hs%3D%0A&RelayState=cookie&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 17 14:07:38 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 17 14:07:38 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Valid signature found for _510166e88e8550bda125b20a491087ee
Jul 17 14:07:38 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Incomming Authentication request: https://sandbox-sp1.networcs.net id
_510166e88e8550bda125b20a491087ee
Jul 17 14:07:38 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs thisauthority:null
isauthenticated:no remainingtime:27005
Jul 17 14:07:38 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Will go to authentication module auth/networcs_auth2/index.php
Jul 17 14:07:38 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set
authnrequest saml2 time:1216300058 size:4 id:
_4f122ed5be9ea38dcaf182f38c7af220a1b3421f85
Jul 17 14:07:39 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::userNameForm
and on SP1 I get the familiar
Global Logout
Status of Global Logout: Global logout completed.
If the message above indicates success, you have been logged out of all
the applications and systems that support the logout mechanism.
It is still strongly advised that you close your browser to complete the
logout process.
I'm very confused as to what is going on here at this point, and I can
understand it is difficult for you too as I'm not using simplesamlphp on
the SP side.
But the bottom line is I have to make this work with any flavour of SP
as we will have no control over what software our service providers use.
I think simplesamlphp is great, as a php programmer its made it possible
for me to write an auth module that does exactly what we want
with the data sources we have. I couldn't have done it with the
Shibboleth/Internet2 IdP and its bloaty java server :-)
Anyway if you have any more ideas I'd be glad to hear them.
Thanks
Simon
Olav Morken
I took a look at the LogoutResponse from SP1, and this is what I got
when I decoded it:
<samlp:LogoutResponse
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_7ad931a72523e6f0238f490c89018c5e"
InResponseTo="_9a81b3d44c2b49f89fd368e477b2a947658b304d01"
IssueInstant="2008-07-17T12:43:35Z"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:StatusCode>
<samlp:StatusMessage>Error processing request.</samlp:StatusMessage>
</samlp:Status>
</samlp:LogoutResponse>
So, apparently SP1 detects an error while decoding the logout request.
Could you look at the logs for SP1?
On my installation of Shibboleth 2.0 SP, I can find the logs under
/opt/shibboleth-sp/var/log/. .../var/log/shibboleth/shibd.log may be
the one with the most relevant information. You can also increase the
log level by editing /opt/shibboleth-sp/etc/shibboleth/shibd.logger
(and also the other *.logger-files).
Btw.: the reason you got fewer debug messages than expected is because
simpleSAMLphp only shows outgoing messages. I decoded the logout
response from the SAMLResponse=rVJNb4..... log message. To do that,
just copy everything from the equal-sign to &SigAlg=..., and paste it
into the "Decode HTTP-REDIRECT parameters"-field on
http://rnd.feide.no/saml2debug .
--
Olav Morken
Olav Morken
thanks for the detailed instructions for how this problem could be
reproduced! I was able to reproduce the problem, and have committet a
fix. Could you verify that logout works when you are using the latest
version from subversion?
--
Olav Morken
Simon Annetts
you're a star, this has certainly fixed the problem. Global logout now
works as expected on both SPs.
Looking at the time of your mail this morning, I hope you were not up
late writing a fix :-)
Anyway, if you need it, I enclose the same log set again, but this time
I see from the response that the logout works properly.
Many thanks for the speedy fix!
regards
Simon
Jul 18 09:52:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got IdP entity id:
https://shibboleth.networcs.net/SSO/shibboleth
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got SAML reuqest
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fZFPa8MwDMW%2FSvC9jR0nrjFNYNBLoWOwjB12Gf6jNoHU9iJn68df07LR7rCb%0AkPT03g%2BtUR%2BHqHbhEKb0DB8TYMpOx8GjukxqMo1eBY09Kq%2BPgCpZ1T487lSx%0ApCqOIQUbBpJtzrre69QHX5MupYgqz7HrjQkDpG7pIX2F0eJc5G37lM%2FXi7x3%0AMW97fxjgmqCF8bO3sIxdJNl2U5N3LSpRWG7cqnRMa1NSyysheWWNsJK78xri%0ABFuPSftUk4JSuaCrBZMvVKqqUFy8kewVRrxEO6cmzXo2VxfdeAP7P6tGhHHm%0AI80vn%2FbOhNMCI7sDXOc3Ble3qFrAOcLWOzg171UpLeNUloLzPTWsKgzbC%2BY4%0AVNaWK2pLJoykAvbXY3%2F0P827vzXf%0A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 18 09:52:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Valid signature found for
_a6562c3bd74d1aab40c356835cb6c83d
Jul 18 09:52:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: got Logoutrequest from
https://sandbox-sp1.networcs.net
Jul 18 09:52:43 simpleSAMLphp 5 STAT [b22e2a05eb] saml20-idp-SLO spinit
https://sandbox-sp1.networcs.net
https://shibboleth.networcs.net/SSO/shibboleth
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Session: doLogout()
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Setting cached request with issuer
https://sandbox-sp1.networcs.net
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Setting
SP state completed for : https://sandbox-sp1.networcs.net
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://www.networcs.net status: 1
Jul 18 09:52:43 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://sandbox-sp1.networcs.net status: 3
Jul 18 09:52:43 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Logout next SP https://www.networcs.net
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_caa55b446ee6fb6206c8766737de635d77a910fe09" Version="2.0"
Destination="https://www.networcs.net/Shibboleth.sso/SLO/Redirect"
IssueInstant="2008-07-18T08:52:43Z">
<saml:Issuer >https://shibboleth.networcs.net/SSO/shibboleth</saml:Issuer>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="https://www.networcs.net">_98f6b30152039e996eaccc5eeec04b84c2ae8cc1a8</saml:NameID>
<samlp:SessionIndex>_548c13084633f0b152b1f61d3e5cc470c416b806ef</samlp:SessionIndex>
</samlp:LogoutRequest>
Jul 18 09:55:35 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got IdP entity id:
https://shibboleth.networcs.net/SSO/shibboleth
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Got SAML response
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: SAML response parsed. Issuer is:
https://www.networcs.net
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata issuer:https://www.networcs.net in
set saml20-sp-remote
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLResponse=fZFda8IwFIb%2FSsm9Jv1MDbYw5o3gGKzixW5GmhxtoSahJ13389cqMoXhXULO%0A%2B3GerFGeOyd29mQH%2FwHorEEIfs6dQXF5KsjQG2EltiiMPAMKr0T18rYT0ZIJ%0A11tvle1IsAH0rZG%2BtaYgjfcOBaXYtHVtO%2FDN0oAfba9wPtCqeqeze0Rb7WjV%0AmlMH1woV9N%2BtgqVrHAm2m4J8pVzJOFxpzSWwhHEFtc7CVEMSs7Suw2nM3Irv%0A7SRQUqZpnSQZQHass4hlKudZxmOuIYtTzblchewIbDVJEQfYGvTS%2BIJEjOUL%0Axhdhvme5SCOR8E8SHKDHy1bTwqRcz73FRdffcXqOSSJCP6Mh5Q3NOI4PTNb0%0Azvia4kTlpR%2Fw8fZqNQQH2Q3wPBMv06IalAJEQstrwp8p%2Fe%2Fry18%3D%0A&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 18 09:55:35 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: Valid signature found
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Setting
SP state completed for : https://www.networcs.net
Jul 18 09:55:35 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IDP.SingleLogoutService: got LogoutResponse from https://www.networcs.net
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://www.networcs.net status: 3
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Dump sp sessions:
https://sandbox-sp1.networcs.net status: 3
Jul 18 09:55:35 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: LogoutService: All SPs done
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Found logout info with these keys: Issuer,RequestID
Jul 18 09:55:35 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Session Size before cleaning: 1965
Jul 18 09:55:35 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Cleaning
Session. Clean cache: no
Jul 18 09:55:35 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 -
IdP.SingleLogoutService: Session Size after cleaning: 1695
<samlp:LogoutResponse
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_3ab52fd0e4c8b5b85f907bb6b7b4a12da5142efd7b" Version="2.0"
IssueInstant="2008-07-18T08:57:08Z"
Destination="https://sandbox-sp1.networcs.net/Shibboleth.sso/SLO/Redirect"
InResponseTo="_a6562c3bd74d1aab40c356835cb6c83d">
<saml:Issuer>https://shibboleth.networcs.net/SSO/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
<samlp:StatusMessage>Successfully logged out from service
https://shibboleth.networcs.net/SSO/shibboleth</samlp:StatusMessage>
</samlp:Status>
</samlp:LogoutResponse>
Jul 18 09:56:15 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 18 09:56:15 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 18 09:56:15 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 18 09:56:15 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fZFPb4MwDMW%2FCsq9TUClpVZBQu0Faf80ph12mQJ4IlJIsjis3bcftNu0XnaL%0AFfv9%2FJ53JAftoBxDbx7xfUQK0WnQhuD8kbPRG7CSFIGRAxKEFury9gaSpQDn%0AbbCt1SwqidAHZc3eGhoH9DX6D9ViZTo85Sxm0WFSVkbOPTnrQ3AEnFOvmsZq%0ADP3SYDha39L84HV9z2d%2BwlXn5upbbul6x6LqkLPX1SZbN90q2W7kNt6mSfLW%0AYiqypok7THE1ESuicVqAgjQhZ4kQ2UJsFnH2JDJI1yCyFxY9o6fzRpMdVuxm%0AJpzn%2FJ8U%2Fg9B%2Flhnxa8tabrGnhbk4itfO%2F4HcKE5uJsUq8OD1ar9jEqt7XHv%0AUQacU%2BPFZeT6QMUX%0A&RelayState=cookie&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 18 09:56:15 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 18 09:56:15 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Valid signature found for _4786bd4297a919522fce508bb1de5e41
Jul 18 09:56:15 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Incomming Authentication request: https://sandbox-sp1.networcs.net id
_4786bd4297a919522fce508bb1de5e41
Jul 18 09:56:15 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs thisauthority:null
isauthenticated:no remainingtime:28485
Jul 18 09:56:15 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Will go to authentication module auth/networcs_auth2/index.php
Jul 18 09:56:15 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set
authnrequest saml2 time:1216371375 size:4 id:
_8b953c0ef5574d7de8096e99302e61594dd90b1247
Jul 18 09:56:18 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::userNameForm
Jul 18 09:56:20 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Accessing SAML 2.0 IdP endpoint SSOService
Jul 18 09:56:20 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Looking up metadata
issuer:https://sandbox-sp1.networcs.net in set saml20-sp-remote
Jul 18 09:56:20 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): All required paramaters received.
Jul 18 09:56:20 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Built query:
SAMLRequest=fVFLb8IwDP4rVe6QpowuRLRSBRekvbROO%2BwypcGokdIki9PB%2Fv3ask1w2c2W%0A7e%2FlNcrOeFH1sbXP8NEDxuTUGYtiGhSkD1Y4iRqFlR2giErU1f2dyOap8MFF%0Ap5whSYUIIWpnN85i30GoIXxqBTu7h1NBGEm2A7K2ctwpSBujR0EptrppnIHY%0Azi3EowsKx4LW9SMd%2BTOq937sfuDmvvUk2W0L8q4aUKpZLlXDDlnO89WB8cUq%0A51zxnC1usmENsR8EYJQ2FiRLUz5Lb2eMv6RcLHPBFm8keYWAk6LBDinXI6eY%0A7sJFCv%2BHIH%2Btk%2FLPlrT7xp1m6NmVrzW9IDizefEwIO62T85o9ZVUxrjjJoCM%0AMKZGy%2FPJ9YPKbw%3D%3D%0A&RelayState=cookie&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Jul 18 09:56:20 simpleSAMLphp 7 [b22e2a05eb] Library - HTTPRedirect
validateQuery(): Sig Alg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Jul 18 09:56:20 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Valid signature found for _cbeccb55cb1f26869f1839688c861342
Jul 18 09:56:20 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Incomming Authentication request: https://sandbox-sp1.networcs.net id
_cbeccb55cb1f26869f1839688c861342
Jul 18 09:56:20 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Check if
session is valid. checkauthority:login-networcs thisauthority:null
isauthenticated:no remainingtime:28480
Jul 18 09:56:20 simpleSAMLphp 6 [b22e2a05eb] SAML2.0 - IdP.SSOService:
Will go to authentication module auth/networcs_auth2/index.php
Jul 18 09:56:20 simpleSAMLphp 7 [b22e2a05eb] Library - Session: Set
authnrequest saml2 time:1216371380 size:4 id:
_176394abb743f2f7bc70acc007b175620d0d5d75c0
Jul 18 09:56:20 simpleSAMLphp 6 [b22e2a05eb] AUTH - networcs_auth2:
Accessing auth endpoint networcs_auth2::userNameForm
--
This e-mail and any attachment is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not necessarily the views of the Ateb Ltd, unless specifically stated.
Olav Morken
Thanks, always happy to help. If you find any other incompatibilities
between simpleSAMLphp and anything else, please report them. We would
very much like simpleSAMLphp to work with other service providers and
IdPs.
(And no - I wasn't up late - I got up early :-) )
--
Olav Morken