SP-initiated Single Logout not working with SalesForce - salesforce

I am attempting to use SP-initiated SLO with SalesForce (trying Redirect and POST) with the following LogoutRequest:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1583fa34b3e9426ba5885849204d6f8d" Version="2.0" IssueInstant="2017-11-14T18:42:25Z" Destination="https://myorg-dev-ed.my.salesforce.com/services/auth/idp/saml2/logout">
<saml:Issuer>myorg</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">me#myorg</saml:NameID>
</samlp:LogoutRequest>
I am using my SP entity ID for Issuer. I also tried using it for NameID SPNameQualifier. My Redirect and POST logic work for AuthnRequest. This SLO is working with OneLogin.
The error I get back is:
We are unable to log you out. Please contact your administrator for
more information.
I can not find any relevant log entries.

Which tool are you using to generate the XML?
Add the tag SessionIndex, which you can get from the login.

Related

SAML With ping identity getting error invalid issuer

I have tried using the sso url as mentioned "Single Signon Service"https://auth.pingone.asia/{env}/saml20/idp/sso , and issuer as https://auth.pingone.asia/{env}. but getting ErrorCode: INVALID_ISSUER - Unable to find application for spEntityId: 'https://auth.pingone.asia/{env}' in environment {env}.
Please help me to understand where exactly I have wrong configuration.
Check if you have created a SAML Application, if not, try creating it with https://apidocs.pingidentity.com/pingone/platform/v1/api/#post-create-application-saml-protocol
Note: acs url is the place where you want PingIdentity to redirect after login authentication is completed. You will get a SAMLRespose also posted there.
(OR) You can create SAML application directly from the PingIdentity console itself by selecting Add Application, Select SAML as type, and Set Manual Saml configuration by specifying entity id (something unique) and ACS url.
Go to ping console dashboard, and check the Entity ID of the application, it should match with your AuthnRequest saml:Issuer
Example if your dashboard is like this with Entity ID "test",
then your AuthnRequest should look like this:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="test"
Version="2.0"
IssueInstant="2022-09-19T16:46:59">
<saml:Issuer>test</saml:Issuer>
</samlp:AuthnRequest>
Note the line: <saml:Issuer>test</saml:Issuer>

SalesForce SOAPUI Login call fails with SocketTimeoutException

I am new to SalesForce and trying to setup my first call to Sandbox SalesForce.
I generated a Enterprise WSDL file and created the project in SOAPUI.
The login request has URL set to https://test.salesforce.com/services/Soap/c/48.0/0DFr0000XXXXXXX
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:enterprise.soap.sforce.com">
<soapenv:Header>
</soapenv:Header>
<soapenv:Body>
<urn:login>
<urn:username>XXXX#XXXXXXX</urn:username>
<urn:password>Password+Token</urn:password>
</urn:login>
</soapenv:Body>
</soapenv:Envelope>
Getting java.net.SocketTimeoutException
I am able to put this URL in browser and get a response
https://test.salesforce.com/services/Soap/c/48.0/0DFr0000XXXXXXX
and get response
Only POST allowed
That means it might not be firewall issue??
Please help.
(not 100% an answer but too long for a comment)
It might be that you're behind a proxy or firewall. Maybe your browser automatically downloads some configuration script but in SoapUI and other tools like that you'd need to specify the proxy details manually. Do you have any other app that can connect OK? Data Loader? maybe simple ping test.salesforce.com? curl if you're familiar with it? Or tell SoapUI to GET www.google.com and see what happens? If these fail - talk with your IT about proxy details. Or try from another machine?
See if anything hit Salesforce. Go to your user in setup, scroll all the way down to login history, see if there's any non-browser activity.
It's possible your SF admin disabled logging in from generic test.salesforce.com. You can verify it in Setup -> My Domain. (but if you can login via browser just fine and it's with normal SF username and pass, no Single Sign-On tricks - ignore this point)
As stupid as it sounds - what's the timeout you have in SoapUI ;)

SAML OneLogin with SSO Circle : LogoutRequest returns StatusCode Requester instead of Success

Using the onelogin sample app as SP with sso circle as IdP, login via SSOCircle IdP works, but the LogoutRequest, after being validated, returns a LogOutResponse with StatusCode Requester instead of Success :
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="xxxxxxxxxxxxxxxxxxxxx" Version="2.0" IssueInstant="2018-03-28T07:50:49Z" Destination="http://localhost:8080/onelogin-saml/sls.jsp" InResponseTo="ONELOGIN_hexahexahexa">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.ssocircle.com</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
</samlp:StatusCode>
</samlp:Status>
</samlp:LogoutResponse>
IdP initiated Logout works.
I cannot figure out what am i missing in the properties configuration :
onelogin.saml2.sp.single_logout_service.url=http://localhost:8080/onelogin-saml/sls.jsp
onelogin.saml2.sp.single_logout_service.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.sp.nameidformat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
onelogin.saml2.idp.single_logout_service.url=https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/publicidp
onelogin.saml2.idp.single_logout_service.response.url=
onelogin.saml2.idp.single_logout_service.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Any input would be warmly welcome.
thanks to the onelogin contributors, i could solve the problem by storing the nameId, sessionId and nameIdFormat into the session at login, and then use them as parameters when calling the logout method. see closed issue for full code here.

Azure web application authentication

I have enabled azure web authentication in my web application and when unauthenticated users tried to access it, azure redirects it to https://example.azurewebsites.net/.auth/login/aad/callback page and shows the message "You do not have permission to view this directory or page."
For non-authorized users, instead of showing above message I want to redirect to another custom page to show another message.
Thanks in advance.
Thanks,
Tushar
Unfortunately , Azure AD doesn't support this feature for now.
I understand what you want to achieve. You can upvote this idea in this User Voice Page. Azure AD Team will review it.
Hope this helps!
ACS gives you error messages in encoded JSON like this
{"context":null,"httpReturnCode":401,"identityProvider":"Google","timeStamp":"2010-12-17 21:01:36Z","traceId":"16bba464-03b9-48c6-a248-9d16747b1515","errors":[{"errorCode":"ACS30000","errorMessage":"There was an error processing an OpenID sign-in response."},{"errorCode":"ACS50019","errorMessage":"Sign-in was canceled by the user."}]}
First you need to enable the "Error URL feature" in management portal, for your ACS namespace-> Edit Relying party-> Error URL.
You need a helper classes to decode the JSON. steps here
Configure anon access to them Error page.
With this you will have full control of the page, you can show the error message the way wants and brand the page to match the look and feel of your relying party web.

How to change saml2p:NameIDPolicy that wso2is sends to IdP?

I have a WSO2IS 5.2 acting as a federation hub. The AuthnRequest that it sends to IdP (in this case PingFederate) includes this NameIDPolicy:
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SPNameQualifier="WSO2IS"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
/>
After logging in at PingFederate it sends back SAML message including this:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
<samlp:StatusMessage>Cannot provide requested name identifier qualified with WSO2IS</samlp:StatusMessage>
</samlp:Status>
I've tried uid and mail NameID values in PingFederate but I always get this response. I would like to try changing the NameIDPolicy format that wso2is sends but have not found a way to do it. I think it should be a SAML:2.0 format.
Only thing I found was "Include NameID Policy" check box in IdP settings but it stays checked even if I uncheck it and save.
How to change the NameIDPolicy format?
UPDATE: I solved the problem by enabling pseudonym identifier at PingFederate and sending username as attribute. Still it would be good to know the answer to my question.
Yes your understanding is correct. You could need to change the NameIDPolicy. You can found it in service provider (SP) creation page. Go to WSO2 IS management console, Home>service Provider>Add> .
After that need to enter the name for SP and click the register button.
Now you are in Service provider configuration page.
GO to Inbound Authentication Configuration>SAML2 Web SSO Configuration>configure.
This page you can configure SAML2 Web SSO configuration and page header show as
Register New Service Provider and go to NameID format change the urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress instead of urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
You can found more details from WSO2 documentation [1].
[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0

Resources