none
ADFS SSO working but SLO not working

    Question

  • Hi,

    Configured ADFS in Windows Server 2012, using Node JS Passport SAML, i could do Single Sign On but, facing issues in SLO, when so many sessions opened for particular user.But not facing issues when only one session is enabled. Tried all the possibilities provided in Microsoft Forums, but still could not achieve.Please help....   

    Wednesday, March 15, 2017 6:06 AM

All replies

  • We'll need more details on your implementation and your test scenarios (clients type, error messages, etc).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 15, 2017 8:36 PM
    Owner
  • Hi Pierre,

    I am part of Remil Jose's Team.

    Thanks for your reply.

    Scenario is,

    Server : Windows Server 2012 R2

    Service Provider Language : Node JS

    npm Library for SSO/SLO : passport-saml/passport-saml-logout

    I have two sites added as rely partners in ADFS separately, passport-saml has been configured for both SSO and SLO. When i hit one SP url, it is taking me to ADFS login page, logging in and successfully getting claims from adfs. When i hit the second url page, it is automatically logging me in. So, confirming SSO is working.

    When two sites are opened in two tabs, as SLO is configured, when i hit the logout link, it is throwing error like, 

    Activity ID: 00000000-0000-0000-2800-0080000000bd

    Error time: Thu, 16 Mar 2017 06:35:01 GMT

    Cookie: enabled

    User agent string: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

    In ADFS Side,

    Error like,

    Encountered error during federation passive sign-out. 

    Additional Data 

    Exception details: 
    Microsoft.IdentityServer.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)

    The Federation Service encountered an error while processing the SAML authentication request. 

    Additional Data 
    Exception details: 
    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
       at System.Xml.XmlReader.ReadEndElement()
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
       at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)

    Note :

    When i have only one application open, if i click logout, i am getting proper SP->IdP->SP responses, and Logout is successful.

    Only problem is, when we have multiple SP's open, Logout is not working.

    For the second error, i aleady added SP's signing certificate to ADFS. Do i need to IdP Signing Certificate also. Bit Frustated, so please do so.


    Thursday, March 16, 2017 6:46 AM
  • Did you sign your logout request? maybe you can take a look at this post.
    Friday, March 17, 2017 4:30 AM
  • Thanks WinneLao for your update.

    I am following documentation of Passport SAML.

    Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the privateCert configuration key. For example:

    privateCert:fs.readFileSync('./cert.pem', 'utf-8')

    So, in my code also i have signed using Private Key and Certificate is added to the Signature Tab in ADFS.

    Friday, March 17, 2017 7:49 AM
  • Hi,

    Need one clarification. I have two RP's, so i need to provide two different private key and certificate combinations for signing ???

    Please reply back as soon as possible, Thanks in advance.

    Sunday, March 19, 2017 6:42 AM
  • AD FS does not require RP private key. Does the sp-initiated logout work in one RPs?
    Monday, March 20, 2017 8:05 AM
  • SP Initiated Logout is working perfectly with One RP. 

    Under "Signature" tab in RP, i configured certificate and the private key is used in SP for signing requests. My question is, whether i should use same private key and certificate for both RP's or different.

    Monday, March 20, 2017 1:21 PM
  • It is up to you. I think both will work. Does IDP-initiated logout work? After login, can you go to https://<adfsServer>/adfs/ls/idpinitiatedsignon.aspx and click logout?
    • Proposed as answer by WinneLao Tuesday, March 21, 2017 2:21 AM
    • Edited by WinneLao Tuesday, March 21, 2017 2:23 AM
    • Unproposed as answer by WinneLao Tuesday, March 21, 2017 2:23 AM
    Tuesday, March 21, 2017 2:21 AM
  • Hi,

    IDP initiated logout is working for only one RP at a time. If i choose "Sign out from all sessions you have", getting these errors like,

    Encountered error during federation passive sign-out. 

    Additional Data 

    Exception details: 
    Microsoft.IdentityServer.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)

     

    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    Saml 

    Relying Party: 


    Exception details: 
    Microsoft.IdentityServer.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Signout(ProtocolContext context, String redirectUri, List`1 iFrameSignoutUris)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    The Federation Service encountered an error while processing the SAML authentication request. 

    Additional Data 
    Exception details: 
    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
       at System.Xml.XmlReader.ReadEndElement()
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
       at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)

    I does not know, am i did anything wrong ? Please help in debugging this issue. I tried all the solutions, if needed i can share my screen as well.

    Tuesday, March 21, 2017 4:42 AM
  • Hello,

    If you only login in one replying party, does Sp-initiated logout and Idp-initiated logout work? 

    • Login in replaying party A
    • Go to idpinitiatedsignon.aspx and click Sign out from all the sites that you have accessed.
    • Login in replying party B, you will need to input username and password
    • Go to idpinitiatedsignon.aspx and click sign out from all the sites that you have accessed.

    Can you capture and paste your SAML request and response here?

    Wednesday, March 22, 2017 1:48 AM