[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAML LogoutResponse elements are out of order



Hi Sampo,

Thanks for the reply. I'll try it out on  v 1.18, and let you know.

Regards,
Karthik


On Thu, Jun 19, 2014 at 7:16 AM, <sampo@xxxxxxxxx> wrote:

> Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
> > Hi all,
> >
> > I'm using ZXID v1.16 with mod_auth_saml Apache plugin. The IDP is ADFS.
> The
> > authn request processing has been successful. But when the IDP initiates
> > the logout request and the ZXID library sends the LogoutResponse, ADFS is
> > unable to parse the request.
> >
> > One of the causes could be that the <Issuer> element is after the
> <Status>
> > element.
> >
> > A sample LogoutResponse id below:
> >
> > <sp:LogoutResponse xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
> >
> >                    Destination="destinationURL"
> >
> >                    InResponseTo="requestId"
> >
> >                    IssueInstant="time"
> >
> >                    Version="2.0"
> >
> >                    ID="responseId"
> >
> >                    >
> >
> >     <sp:Status>
> >
> >         <sp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> >
> >     </sp:Status>
> >
> >     <sa:Issuer
> >
> xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">issuerEntityId</sa:Issuer>
> >
> > </sp:LogoutResponse>
>
> Yes, thist is a bug with 1.16. Have you tried 1.18?
>
> Cheers,
> --Sampo
>
> > The SAML specification xsd has this definition for the ResponseType
> complex
> > type:
> >
> >
> > <complexType name="StatusResponseType">
> > <sequence>
> > <element ref="saml:Issuer" minOccurs="0"/>
> > <element ref="ds:Signature" minOccurs="0"/>
> > <element ref="samlp:Extensions" minOccurs="0"/>
> > <element ref="samlp:Status"/>
> > </sequence>
> > <attribute name="ID" type="ID" use="required"/>
> > <attribute name="InResponseTo" type="NCName" use="optional"/>
> > <attribute name="Version" type="string" use="required"/>
> > <attribute name="IssueInstant" type="dateTime" use="required"/>
> > <attribute name="Destination" type="anyURI" use="optional"/>
> > <attribute name="Consent" type="anyURI" use="optional"/>
> > </complexType>
> >
> > What is the best way to ensure that the xsd is followed in the response?
> I
> > saw the http://www.zxid.org/html/zxid-raw.html talks about "Encoding in
> > schema order" and "Encoding in wire order", but I am not sure if there
> is a
> > configuration that can achieve this.
> >
> > Any help with this would be greatly appreciated.
> >
> >
> > Regards,
> > Karthik
> >
> > --
> >
> > ------------------------------
> > <http://www.xtivia.com>  <http://www.virtual-dba.com/>
> > <http://www.virtual-dba.com/> <http://www.virtual-asa.com/>
> > <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>
> > <http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>
> > <http://www.xtivia.com/resources/webinars>
> > *Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
> > ------------------------------
> > This e-mail may contain confidential or privileged information. If you
> > believe you have received this e-mail in error, please notify the sender
> by
> > reply e-mail and then delete this e-mail immediately.
> >
>

-- 

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/>  
<http://www.virtual-dba.com/> <http://www.virtual-asa.com/>  
<http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>  
<http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>  
<http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you 
believe you have received this e-mail in error, please notify the sender by 
reply e-mail and then delete this e-mail immediately.