Uploaded image for project: 'WSO2 Identity Server'
  1. WSO2 Identity Server
  2. IDENTITY-3349

SAML SLO fails when federating with ADFS due to invalid nameID format uri

    Details

    • Type: Patch
    • Status: Resolved
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: 5.0.0-GA
    • Fix Version/s: None
    • Component/s: saml2-sso
    • Labels:
      None
    • Estimated Complexity:
      Moderate
    • Test cases added:
      No

      Description

      SAML logout request from IS

      <saml2p:LogoutRequest Destination="https://adfs.test
                            ID="pmdbnmackgffcmipcnekjilpngkiopidadghlccp"
                            IssueInstant="2015-06-05T12:33:39.796Z"
                            NotOnOrAfter="2015-06-05T12:38:39.796Z"
                            Reason="Single Logout"
                            Version="2.0"
                            xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                            >
          <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:9443/samlsso</saml2:Issuer>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:SignedInfo>
                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                  <ds:Reference URI="#pmdbnmackgffcmipcnekjilpngkiopidadghlccp">
                      <ds:Transforms>
                          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" .ioBadI3z4t+IizscRdojip5k=</ds:DigestValue>
                  </ds:Reference>
              </ds:SignedInfo>
              <ds:SignatureValue>iKZSG....</ds:SignatureValue>
              <ds:KeyInfo>
                  <ds:X509Data>
                      <ds:X509Certificate>MIIDhDCCA.....</ds:X509Certificate>
                  </ds:X509Data>
              </ds:KeyInfo>
          </ds:Signature>
          <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                        >XXXX</saml2:NameID>
          <saml2p:SessionIndex>_4e38d04c-52bb-45cd-b903-c39f03b09fdd</saml2p:SessionIndex>
      </saml2p:LogoutRequest>
      

      ADFS side error

      Encountered error during federation passive request. 
      
      Additional Data 
      
      Protocol Name: 
       
      
      Relying Party: 
       
      
      Exception details: 
      System.Xml.XmlException: ID4262: The SAML NameIdentifier 'XXXX' is of format 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity' and its value is not a valid URI.
         at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadNameIDType(XmlReader reader)
         at Microsoft.IdentityServer.Protocols.Saml.Saml2AssertionSerializer.ReadNameId(XmlReader reader)
         at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
         at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
         at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
         at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
         at Microsoft.IdentityServer.Protocols.Saml.HttpPostSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
         at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
         at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
         at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
         at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
         at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                johann@wso2.com Johann Nallathamby
                Reporter:
                omindu@wso2.com Omindu Rathnaweera
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: