SLO problem IdP v.3.4.6
Kai Zimmer
zimmer at bbaw.de
Thu Jul 16 16:13:33 UTC 2020
Hi,
i have a problem with single logout on my IdP v.3.4.6 . SLO works with
some sites, with others no more. It makes no difference if i use client
side (browser) cookies or server side database as storage service for
the session data. The logfiles complain about NameIDFormat 'unspecified'
being used. Is there anything i can do to fix this on the IdP side or is
it a SP configuration problem?
Snippet from idp-warn.log
2020-07-15 18:32:52,661 - xxx.xxx.xxx.xxx - WARN
[org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:74]
- Ignoring NameIDFormat metadata that includes the 'unspecified' format
2020-07-15 18:33:20,432 - xxx.xxx.xxx.xxx - WARN
[org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: SessionNotFound
Snippet from metadata/idp-metadata.xml
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
It makes no difference if i use client side cookies or server side
database for session data:
idp.session.StorageService = shibboleth.JPAStorageService
idp.session.StorageService = shibboleth.ClientSessionStorageService
Snippet from idp-process.log
2020-07-15 18:32:53,077 - INFO [Shibboleth-Audit.SSO:275] -
IP:xxx.xxx.xxx.xxx -
20200715T163253Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ONELOGIN_df9832c4c8f4ee1428ae91cfabd09aeb8b60ff09|https://my.service.test/apps/user_saml/saml/metadata|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://my.idp.test/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_8ef5ac95bdf1707defc30c7d46d5b56e|zimmer|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
|eduPersonEntitlement,uid,mail,eduPersonScopedAffiliation,displayName,quota,eduPersonPrincipalName|QJYMXBYIIYQAGZOZ6GG2BAG6RSXSCJAV|_1c23274b03025dcead4cfec5cf71e152|true
LogoutRequest (SP)
2020-07-15 18:33:20,124 - DEBUG [PROTOCOL_MESSAGE:127] -
IP:xxx.xxx.xxx.xxx -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest
Destination="https://my.idp.test/idp/profile/SAML2/Redirect/SLO"
ID="ONELOGIN_01bcd37da6697d511f195a14526da06f46c48ced"
IssueInstant="2020-07-15T16:33:19Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://my.service.test/apps/user_saml/saml/metadata</saml:Issuer>
<saml:NameID>QJYMXBYIIYQAGZOZ6GG2BAG6RSXSCJAV</saml:NameID>
<samlp:SessionIndex>_8fcd999f1db12afe8a88e821cb32b54b</samlp:SessionIndex>
</samlp:LogoutRequest>
LogoutResponse (IDP)
2020-07-15 18:33:20,530 - DEBUG [PROTOCOL_MESSAGE:70] -
IP:xxx.xxx.xxx.xxx -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse
Destination="https://my.service.test/apps/user_saml/saml/sls"
ID="_d83a4fa15c02b1a1a57bebef0cfc5094"
InResponseTo="ONELOGIN_01bcd37da6697d511f195a14526da06f46c48ced"
IssueInstant="2020-07-15T16:33:20.439Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://my.idp.test/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/>
</saml2p:StatusCode>
<saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:LogoutResponse>
Best regards,
Kai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200716/83bc6746/attachment.htm>
More information about the users
mailing list