-
-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single Logout issue (Signature validation failed. Logout Response rejected) #80
Comments
ADFS returns A Logout Response with:
So the Logout Process failed. If you read ADFS report:
is not a signature validation problem, instead: "The SAML Single Logout request does not correspond to the logged-in session participant." I can't see what NameID was at the SAML Response sent by ADFS since the Assertion is encrypted, but seems that is different than the nameID provided by you on the Logout Request.
|
I got this error before when doing slo with ADFS. To resolve it, keep the $auth->getNameId() and $auth->getSessionIndex() (that you received from login response), then pass it to the $auth->logout function when doing logout. |
@johnliman: I was already keeping the nameId and the sessionIndex to send them throught the logout method. @pitbulk: Indeed I was missing the SPNameQualifer in my claims rules and I fixed it using the following custom rule in ADFS side.
After fixing the ADFS claim rule, the user was successfully logged out from ADFS side however I was still having the signature verification failure. I found out that setting the $retrieveParametersFromServer parameter to true in the processSLO method called in the sls endpoint fixed my issue. Thanks all for your help! |
I may have found a bug with this issue, not sure. The reason It works when you call processSLO with $retrieveParametersFromServer set to false is because the signed query does not get URL encoded before validation against the certificate. The offending code starts on Utils.php:1505. Because the signed query is URL encoded the url's don't match what's in the logout response and it throws an error.
I could be wrong idk |
Hi,
I've been trying to use OneLogin PHP Toolkit (v2.6) to enable SSO with our IDP (ADFS 3.0). So far I've been able to make single sign on to work however I am still having issues with the single logout process.
After some research about the issue I've found out that I'm having exactly the same issue reported by @jacquesd but for him it happened with the OneLogin Python Toolkit (SAML-Toolkits/python-saml#53).
I've tried to set in ADFS side to use RSA-SHA256 as well as RSA-SHA1 with no luck.
The error on the SP side is:
And the error reported by ADFS is listed below.
Below are the SAML AuthnRequest and its response as well as the Logout request and corresponding response.
The onelogin configurations that I've been using is listed below:
We also noticed that the signature verification that fails is using the IDP certificate and we ensure that it was correct.
The text was updated successfully, but these errors were encountered: