[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAML LogoutResponse elements are out of order



Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
> Hi all,
> 
> I'm using ZXID v1.16 with mod_auth_saml Apache plugin. The IDP is ADFS. The
> authn request processing has been successful. But when the IDP initiates
> the logout request and the ZXID library sends the LogoutResponse, ADFS is
> unable to parse the request.
> 
> One of the causes could be that the <Issuer> element is after the <Status>
> element.
> 
> A sample LogoutResponse id below:
> 
> <sp:LogoutResponse xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
> 
>                    Destination="destinationURL"
> 
>                    InResponseTo="requestId"
> 
>                    IssueInstant="time"
> 
>                    Version="2.0"
> 
>                    ID="responseId"
> 
>                    >
> 
>     <sp:Status>
> 
>         <sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> 
>     </sp:Status>
> 
>     <sa:Issuer
> xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">issuerEntityId</sa:Issuer>
> 
> </sp:LogoutResponse>

Yes, thist is a bug with 1.16. Have you tried 1.18?

Cheers,
--Sampo

> The SAML specification xsd has this definition for the ResponseType complex
> type:
> 
> 
> <complexType name="StatusResponseType">
> <sequence>
> <element ref="saml:Issuer" minOccurs="0"/>
> <element ref="ds:Signature" minOccurs="0"/>
> <element ref="samlp:Extensions" minOccurs="0"/>
> <element ref="samlp:Status"/>
> </sequence>
> <attribute name="ID" type="ID" use="required"/>
> <attribute name="InResponseTo" type="NCName" use="optional"/>
> <attribute name="Version" type="string" use="required"/>
> <attribute name="IssueInstant" type="dateTime" use="required"/>
> <attribute name="Destination" type="anyURI" use="optional"/>
> <attribute name="Consent" type="anyURI" use="optional"/>
> </complexType>
> 
> What is the best way to ensure that the xsd is followed in the response? I
> saw the http://www.zxid.org/html/zxid-raw.html talks about "Encoding in
> schema order" and "Encoding in wire order", but I am not sure if there is a
> configuration that can achieve this.
> 
> Any help with this would be greatly appreciated.
> 
> 
> Regards,
> Karthik
> 
> -- 
> 
> ------------------------------
> <http://www.xtivia.com>  <http://www.virtual-dba.com/>  
> <http://www.virtual-dba.com/> <http://www.virtual-asa.com/>  
> <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>  
> <http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>  
> <http://www.xtivia.com/resources/webinars>
> *Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
> ------------------------------
> This e-mail may contain confidential or privileged information. If you 
> believe you have received this e-mail in error, please notify the sender by 
> reply e-mail and then delete this e-mail immediately.