问题描述
我有ADFS服务器作为IdP。我有单独的SP应用程序。这些是在信任圈中定义的。通过SAML协议的SSO运行正常。当我尝试SP发起的注销请求时,在ADFS端出现错误:
I have ADFS server as an IdP. I have separate SP application. These are defined in circle of trust. SSO over SAML protocol is working fine. When I try SP initated log out request I got error on ADFS side :
MSIS7000:登录请求与Web的WS-Federation语言不兼容浏览器客户端或SAML 2.0协议WebSSO配置文件。
编辑来自ADFS事件跟踪的更多详细消息:
EDIT More detail message from ADFS Event Trace :
MSIS7015:该请求不包含预期的协议消息,或者根据HTTP SAML协议绑定找到了错误的协议参数。
我已经查看了mu注销SAML消息,看起来是正确的。只需提及同一SP已使用ForgeRocks IdP(例如Sun OpenSSO)正确注销。
I have reviewed mu log out SAML message and looks correct. Just to mention that same SP is loging out properly with ForgeRocks IdP (ex Sun OpenSSO).
Saml loout请求消息:
Saml loout request message :
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="b00b3f55-f3e3-4935-9e91-da6bf8b62efd"
Version="2.0"
IssueInstant="2013-08-27T09:45:08Z"
Destination="https://00.00.00.00/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
NotOnOrAfter="2013-08-27T09:50:08Z"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SPEntityId/</saml:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
<samlp:SessionIndex>_ea853497-c58a-408a-bc23-c849752d9741</samlp:SessionIndex>
编辑
Lan向我建议,注销请求消息的签名是强制性的。他是对的。在OASIS规范中()第4.4.3.1节。它被描述。据此,我现在发送已签名的消息,但是存在相同的问题。
Lan suggested to me that signing of the logout request messages is mandatory. He was right. In OASIS specification (http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) section 4.4.3.1. it is described. According with that I am sending now signed messages but I am having the same issue.
已签名的消息:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="aed640c0-9455-49ea-9450-4ad7c08d98e7"
Version="2.0"
IssueInstant="2013-08-29T15:22:45Z"
Destination="https://server/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
NotOnOrAfter="2013-08-29T03:27:45Z"
>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">user</saml:NameID>
<samlp:SessionIndex>_677952a2-7fb3-4e7a-b439-326366e677db</samlp:SessionIndex>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SPIssuer</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#aed640c0-9455-49ea-9450-4ad7c08d98e7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>53jjPvQ2Ty1Z+VikwrUwW4Erj3k=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>signed value</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>certificate</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
我在做什么错了?是否应该在ADFS上指定其他端点?如我所知,应与请求登录时使用的符号相同(在我这方面运行良好)。
What I am doing wrong ? Should be specified some other endpoint on ADFS ? As I got is should be used same as for sign on requests (that are working perfectly on my side).
谢谢,
Rastko
Thanks,Rastko
推荐答案
Finlay我可以做SLO:)
Finlay I can do SLO :)
以前我曾使用过ForgeRock的IDP和它工作得很好,但是使用ADFS却没有。显然,Microsoft限制了与SAML消息格式有关的规则。我发现的结论:
Previously I have worked with ForgeRock's IDP and it worked perfectly, but with ADFS did not. It is obvious that Microsoft has restricted rules related with SAML message formatting. Conclusions that I have found :
-
LogoutRequest消息必须经过签名(SAML 2.0配置文件doc,第4.4.3.1节)。谢谢Ian。
LogoutRequest message MUST be signed (SAML 2.0 Profiles doc, Sect 4.4.3.1). Thank you Ian for this.
XML元素和属性的顺序很重要。此消息的底部是我的注销请求的最终版本。
Order of the XML elements and attributes is important. On the bottom of this message is final version of my log out request.
NameId必须采用与AuthenticationResponse相同的格式。它应包含ADFS期望的元素。这些链接对我有帮助:和
NameId must be in the same format as one received from AuthenticationResponse. It should contains elements expected by ADFS. These links helped me : Name Identifier (Name ID) claim in the SAML subject and SAML LogoutRequest
LogoutRequest签名必须使用XmlDsigExcC14NTransform进行转换,应在XmlDsigEnvelopedSignatureTransform
LogoutRequest signature must me transformed with XmlDsigExcC14NTransform, that should be added after XmlDsigEnvelopedSignatureTransform
规范化签名方法应为
颁发者,NameID和SessionIndex是必需的XML元素
Issuer, NameID and SessionIndex are mandatory XML elements
必须使用命名空间:xmlns:samlp = urn:oasis:names:tc:SAML:2.0:protocol和xmlns:saml = urn:oasis:names:tc:SAML:2.0:assertion
Namespaces are mandatory : xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" and xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
正在运行的最终注销请求消息:
Final LogoutRequest message that is working :
<samlp:LogoutRequest ID="f8a62847-92f2-4f0c-936a-df9efe0cc42f"
Version="2.0"
IssueInstant="2013-08-29T20:53:50Z"
Destination="https://server/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.com/</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#f8a62847-92f2-4f0c-936a-df9efe0cc42f">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>W7F1E2U1OAHRXn/ItbnsYZyXw/8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate></X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="http://schemas.xmlsoap.org/claims/UPN"
>user</saml:NameID>
<samlp:SessionIndex>_2537f94b-a150-415e-9a45-3c6fa2b6dd60</samlp:SessionIndex>
这篇关于SAML LogOutRequest处理在ADFS服务器上失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!