[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SAML LogoutResponse elements are out of order



Hi all,

I'm using ZXID v1.16 with mod_auth_saml Apache plugin. The IDP is ADFS. The
authn request processing has been successful. But when the IDP initiates
the logout request and the ZXID library sends the LogoutResponse, ADFS is
unable to parse the request.

One of the causes could be that the <Issuer> element is after the <Status>
element.

A sample LogoutResponse id below:

<sp:LogoutResponse xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"

                   Destination="destinationURL"

                   InResponseTo="requestId"

                   IssueInstant="time"

                   Version="2.0"

                   ID="responseId"

                   >

    <sp:Status>

        <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

    </sp:Status>

    <sa:Issuer
xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">issuerEntityId</sa:Issuer>

</sp:LogoutResponse>


The SAML specification xsd has this definition for the ResponseType complex
type:


<complexType name="StatusResponseType">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
<element ref="samlp:Status"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="InResponseTo" type="NCName" use="optional"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>

What is the best way to ensure that the xsd is followed in the response? I
saw the http://www.zxid.org/html/zxid-raw.html talks about "Encoding in
schema order" and "Encoding in wire order", but I am not sure if there is a
configuration that can achieve this.

Any help with this would be greatly appreciated.


Regards,
Karthik

-- 

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/>  
<http://www.virtual-dba.com/> <http://www.virtual-asa.com/>  
<http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>  
<http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>  
<http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you 
believe you have received this e-mail in error, please notify the sender by 
reply e-mail and then delete this e-mail immediately.