locked
Problem during SAML logout RRS feed

  • Question

  • Hi,

    I have written a Service Provider and testing the same with some IDPs. When I tested with ADFS, login works fine but have a problem during logout. Actually, when I set a logout request, I am getting a valid logout response from the ADFS but when I send a new AuthNRequest after successful logout, ADFS is not asking for any credentials and making the user previous logged-in as the current user and sending a valid Auth Response with the same. Thanks in advance.

    <samlp:LogoutResponse ID="_4b1507e9-85c6-4aab-8a20-9bf420f15057" Version="2.0" IssueInstant="2018-01-24T10:16:46.793Z" Destination="https://manoj-3374:9876/mc/SamlLogoutResponseServlet" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ME_7d8bc526-b585-460e-a677-cab2c9f4c43b" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://hostname/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_4b1507e9-85c6-4aab-8a20-9bf420f15057"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>pLbKQReWhLBgYkDMe4ets84pnQq21NexmofA/49bBXQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>oq60dpAGnAUdjmLFUFZDIcc/LZo5dhxVgc12nMUdAmffl3CgMXXOUvdprUaAWkf84gTZ2zaHb0iIHDRIjjicrfR1NunmgT9/dpP0rHvDJ5ViCyb6Lf7eWomyDqAAvpWGL9MwHIpW0tQZj04DxYbMzRJrwyvCClKO8IQ+xin09wSXcU5Ibm7l/75FZB/ZNI35e/PietCL6Rt8uf/YjH4sYthIYzTBn70iYAElO87YFvVBP0RtK0vv5WpcvnxaGh0eWDnYAYJHEIZQ/EjZFCEVfuneqL2F9n3uXQR9FW2N9Kb3mdKy74PSh/Qbsosq3efZ7sC5DXUcVseJIrJTynpBrw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC/jCCAeagAwIBAgIQMQknUWY/VZtEgNVEh0GpgjANBgkqhkiG9w0BAQsFADA7MTkwNwYDVQQDEzBBREZTIFNpZ25pbmcgLSBzZHBvZC1rMTJyMi0xLmNzZXouem9ob2NvcnBpbi5jb20wHhcNMTcwNzExMTMwNjAwWhcNMTgwNzExMTMwNjAwWjA7MTkwNwYDVQQDEzBBREZTIFNpZ25pbmcgLSBzZHBvZC1rMTJyMi0xLmNzZXouem9ob2NvcnBpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8DceRgiArTb0H5EgBA35fjOKFz5yP/t76u2bWJCnaNw7qwUjssy/vt4XH7H8nJ3O0nMSkaTAQZJp4LTHIe3fqnKNzqWsJFtYoG/d7YW22O7rOGfgtDQdcZXbvFZYc41tP77vQ4i/FsEm9t/QZAQdqGkzMQtF1JymvdfJ/e4Ui+JCmHwyDkzkgPmdPjJM3Rz1KwJxgW3fAFaORBnaXySIW0D6bwZgSO3JMohSGtOk3hJ4+ykW/A5dwhBeSL00+6n/KjrCCRavoZX6oATLpj+000mhhFmjibo/jOh24rtRqz7r9h0LHpWXzSiApFxTEiH2SsBsfKXFEzvgRjj/0LftFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJCuMIcGs8tTVPqiYwU7G1ZSyBQ2jbL58Qml+O2zrvCWtlBrkRnybvOd9SQPKSD4xklwJA2dkFk0tUrziyw8C23yuwUusMpnvHQnrLTumzcxwUpM8wPJvnkCcwPf2ECjRkSVHJyFr7vODn7tusVL0yVjLeGqUk8QdvFdwj1TV7wLTNSanQlKlPQarVdN+k6q8GVWVxcv1ljbpDrGnBK6aE+91ypuwz/NQOIyI/qCwMZaEi2bbxbWRHe2en4IkuE6KSOq/nDbqQsXOYjRjOjXGz2nxgJxIu9/Jv391RsSF7OooMJ0SByO53BkDix+LZnu5WvyzrCyYhxODwomy/jTSy4=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>

    Kindly help me out to fix this issue. Thanks in advance.

    Regards,

    Manoj.

    Thursday, January 25, 2018 2:13 PM

All replies

  • Hello,

    Is the machine you are testing with part of a domain and if so are you testing within your internal AD network? If so, then IWA is probably taking effect. can you try from an external network and see if youy get the same issues?


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Sunday, January 28, 2018 11:41 PM
  • Hi Isaac,

    Yes, both the machine and ADFS machine are in same network. 

    If so, then IWA is probably taking effect

    Ohh.. I am not aware of it.. By the way, What is IWA ? 

    I will try with external network and get back

    Monday, January 29, 2018 11:14 AM
  • Hello,

    Integrated Windows Authentication.  Since both machines are in your internal network, then that SSO behavior may be expected. Let me know if external works.


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Thursday, February 1, 2018 7:11 AM