SAML 2.0 LOG OUT issue - saml-2.0

I use saml 2.0 with ADFS 2 for single sign on in
windows server
I am able to login.But logout becomes impossible.The error thrown is :
Exception details:
2)Microsoft.IdentityServer.RequestFailedException: MSIS7054: The SAML logout did not complete properly...............

Related

IDP initiated SAML flow with ITfoxtec

I am setting up an IDP initiated SAML authentication flow
One of our clients will send an SAML assertion request to us by clicking a link within their internal system to access our application - so we act as the service Provider (we use Identity Server from Duende for Authentication)
We are looking at using ITfoxtec.Identity.Saml2.MvcCore library
AS we are going with an IDP initiated SAML flow, I wanted to check to know if
As an SP (Service Provider) do we only need to have an ACS end point for the incoming SAML Assertion. On receiving the Assertion we can process it to get the Claims we need and if it meets our requirements we can give the access to our application.
Do we need to send back any notification to the IDP that sent us the Assertion ?
Once verified after receiving the Assertion, do we set the access token in our Identity Server or do we get a token in, the assertion. We need periodically need to check if the user associated with the incoming Assertion is still authenticated in the IDP. Hence I was wondering if the IDP would issue a token with an expiration date/time, if not then would we have to initiate a new SP initiated SAML flow to check if the user is still authenticated with the Client IDP ?
DO we as an SP need to issue our own Access Token ?
For Logout, we only want to log the user out of our system (So remove our token if we issue one, we do not want to log out the user from their IDP?
Do we need to simulate login in our Identity Provider or will that happen automatically when we add the SAML2 to our Authentication method in our startup.cs
Do we use the ITfoxtec.Identity.Saml2.MvcCore library as we are using Duende IdentityServer in a .netCore 5.0 setup
is this possible with ITfoxtec library ?
services.AddAuthentication()
.AddSaml2(options =>
{
var spOptions = new SPOptions
{
EntityId = new EntityId("https://localhost:44373/Saml2"),
ReturnUrl = new Uri("https://localhost:44373"),
MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
};
options.SPOptions = spOptions;
options.IdentityProviders.Add(new IdentityProvider(new EntityId("https://www.example.com/SSO/SAML/App"), options.SPOptions)
{
AllowUnsolicitedAuthnResponse = false,
MetadataLocation = "https://www.example.com/SSO/SAMLMetadata/App",
LoadMetadata = true,
});
});
Yes and you only need the ACS endpoint. You can also do logout if it is supported by the IdP.
No
You resave a SAML 2.0 token in the Assertion which has a lifetime. To check user state you either need the IdP to start a new IdP initiated login or you can start a SP initiated login, if supported by the IdP.
No. That do not has anything to do with the SAML 2.0 integration.
In IdP initiated scenarie the SP usually do not request the IdP to logout.
You need to simulate IdP initiated login, you can use this code sample.
You can integrate ITfoxtec Identity Saml2 into Duende IdentityServer but I do not have a sample on that.

TAI for MS Azure with Websphere Application Server setup for Idp initiated flow not working

I am trying to setup saml sso configuration for my application which is deployed in websphere.
Idp- Azure AD
SP - Websphere application server when my target application deployed
Done TAI configuration as per the Ibm document . But when I hit the test button from idp I could see the saml response in network tab. but i couldn't login to my application and also didn't get any trace related to saml in log files also however i have enabled logs for saml in Troubleshoot. My doubt is sometimes am getting trace which are related to TAI during server stop. For each request should i be getting TAI trace ? and why my saml response not getting intercepted in TAI. How exactly the interception happen with saml response and how do we get to know that saml response got validated.
[15/4/21 16:18:42:855 IST] 00000096 TrustAssociat A SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully
acs url -> https://localhost:/browserTest (which is my actual target application url)
metadata and signing certificates also imported correctly.
Thanks for your help.
The acs URL has format like this:
https://<hostname>:<sslport>/samlsps/<any URI pattern string>
if you want to use your application URL
https://localhost:/browserTest
as acs URL, this UR must be able to accept HTTP POST.

How to get error message from IDP(ADFS) when SAML response has status as Responder?

If SAML Response has the status as "status:Responder",
According SAML spec:
urn:oasis:names:tc:SAML:2.0:status:Responder The request could not be performed due to an error on the part of the SAML responder or SAML authority.
We expect the IDP should send the error message along with the response.
In ADFS event viewer, we can find out why SAML request failed, however we don't have access to ADFS sever in production environment.
Is it possible to get the error message inside SAML response in case if the authentication fails?

{"error":"Unauthorized","message":"Authentication Failed: Incoming SAML message is invalid","status":401,"timestamp":1524402208502}

I am trying to integrate my spinnaker application with Okta. I created application in Okta.
Spinnaker Dashboard Application configuration:
I have configured my gate-local.yml file accordingly.
saml:
enabled: true
metadataUrl: file:/opt/spinnaker/config/metadata.xml
keyStore: file:/opt/spinnaker/config/saml.jks
keyStorePassword: <password>
keyStoreAliasName: saml
issuerId: <issuerId>
When I hit url http://localhost:8084 i am getting redirect to Okta login page. Once I successfully logged in I am getting error message as
{"error":"Unauthorized","message":"Authentication Failed: Incoming SAML message is invalid","status":401,"timestamp":1524402208502}
This is SAML flow. You are likely hitting step 4 and not passing it.
You should use SAML Tracer to check.

The SAML logout did not complete properly

When sending SAML LogoutRequest to ADFS IdP I am getting on ADFS side error :
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SamlLogout()
Message is according with SAML standards and it is signed.
What I have to look for ?
I have finally get more detail log from our partner. The problem was the missing certificate in signing tab of the our RelayParty on pratners ADFS server. Also the problem could be missing permissions for private key of the mentioned certificate for ADFS IIS running process (that is most probably NETWORK SERVICE). SLO is working now properly.
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Logout(LogoutRequest logoutRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Resources