[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAML LogoutResponse elements are out of order



Hi Sampo,

I tried with version 1.18, but I am facing hurdles in getting the login
working itself !

I took the following steps:

   1. I download the zxid-1.18.tgz and did the gunzip and untar to get the
   zxid-1.18 directory.
   2. I did the "sudo make apachezxid", and it went through neatly and
   created the mod_auth_saml.so file.
   3. sudo make apachezxid_install initially did not work, but I manually
   copied the mod_auth_saml.so into the modules of apache2
   4. I took a backup of my zxid.conf and removed the /var/zxid directory.
   5. Retried sudo make apachezxid_install to create the /var/zxid
   directory structure.
   6. Copied back the old zxid.conf to /var/zxid
   7. Restarted the apache server
   8. Accessed the /protected/saml?o=B to get the SAML metadata.
   9. I reconfigured the CoT by removing the contents of /var/zxid/cot
   directory and getting the metadata of my IDP running the zxcot -g
   <metadataURL> and this configured the CoT successfully.
   10. After this I accessed my test application's url (which is protected
   by saml), and it showed the IDP selection page.
      1. This was the first red flag as I had given the DEFAULTQS=l0<IDP>=1
      and it worked previously on v 1.16, but not on v 1.18
   11. So I selected the only IDP entry in the drop down and was displayed
   the IDP's login page. After successfully logging in to IDP, I got the
   redirection to my original url, but it started displaying the IDP selection
   page again.

I used the SAML Tracer in Firefox to check the choreography, and it looks
like the IDP is sending a proper AuthnResponse, and this used to work with
v 1.16. But the session is not getting created on the Zxid level, which was
apparent when the ZXIDSES cookie was not created in the cookies.

So I've two questions:

   1. I really am happy with the way v 1.16 is working, so is there a way
   that the bug fix for the logout response be ported back to v 1.16? Or is it
   simple enough that I can do it for my version (with your guidance, of
   course)?
   2. Is there anything that is drastically different in v 1.18 that I am
   facing these issues? (maybe missing some configuration or is a
   configuration name changed?)

Again, any help would be greatly appreciated. We have the whole application
working, but are facing this hurdle in the final step of logout!

Regards,
Karthik

On Thu, Jun 19, 2014 at 9:49 AM, Karthik Sudarshan <ksudarshan@xxxxxxxxxx>
wrote:

> Hi Sampo,
>
> Thanks for the reply. I'll try it out on  v 1.18, and let you know.
>
> Regards,
> Karthik
>
>
> On Thu, Jun 19, 2014 at 7:16 AM, <sampo@xxxxxxxxx> wrote:
>
>> Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
>> > Hi all,
>> >
>> > I'm using ZXID v1.16 with mod_auth_saml Apache plugin. The IDP is ADFS.
>> The
>> > authn request processing has been successful. But when the IDP initiates
>> > the logout request and the ZXID library sends the LogoutResponse, ADFS
>> is
>> > unable to parse the request.
>> >
>> > One of the causes could be that the <Issuer> element is after the
>> <Status>
>> > element.
>> >
>> > A sample LogoutResponse id below:
>> >
>> > <sp:LogoutResponse xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
>> >
>> >                    Destination="destinationURL"
>> >
>> >                    InResponseTo="requestId"
>> >
>> >                    IssueInstant="time"
>> >
>> >                    Version="2.0"
>> >
>> >                    ID="responseId"
>> >
>> >                    >
>> >
>> >     <sp:Status>
>> >
>> >         <sp:StatusCode
>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>> >
>> >     </sp:Status>
>> >
>> >     <sa:Issuer
>> >
>> xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">issuerEntityId</sa:Issuer>
>> >
>> > </sp:LogoutResponse>
>>
>> Yes, thist is a bug with 1.16. Have you tried 1.18?
>>
>> Cheers,
>> --Sampo
>>
>> > The SAML specification xsd has this definition for the ResponseType
>> complex
>> > type:
>> >
>> >
>> > <complexType name="StatusResponseType">
>> > <sequence>
>> > <element ref="saml:Issuer" minOccurs="0"/>
>> > <element ref="ds:Signature" minOccurs="0"/>
>> > <element ref="samlp:Extensions" minOccurs="0"/>
>> > <element ref="samlp:Status"/>
>> > </sequence>
>> > <attribute name="ID" type="ID" use="required"/>
>> > <attribute name="InResponseTo" type="NCName" use="optional"/>
>> > <attribute name="Version" type="string" use="required"/>
>> > <attribute name="IssueInstant" type="dateTime" use="required"/>
>> > <attribute name="Destination" type="anyURI" use="optional"/>
>> > <attribute name="Consent" type="anyURI" use="optional"/>
>> > </complexType>
>> >
>> > What is the best way to ensure that the xsd is followed in the
>> response? I
>> > saw the http://www.zxid.org/html/zxid-raw.html talks about "Encoding in
>> > schema order" and "Encoding in wire order", but I am not sure if there
>> is a
>> > configuration that can achieve this.
>> >
>> > Any help with this would be greatly appreciated.
>> >
>> >
>> > Regards,
>> > Karthik
>> >
>> > --
>> >
>> > ------------------------------
>> > <http://www.xtivia.com>  <http://www.virtual-dba.com/>
>> > <http://www.virtual-dba.com/> <http://www.virtual-asa.com/>
>> > <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>
>> > <http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>
>> > <http://www.xtivia.com/resources/webinars>
>> > *Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
>> > ------------------------------
>> > This e-mail may contain confidential or privileged information. If you
>> > believe you have received this e-mail in error, please notify the
>> sender by
>> > reply e-mail and then delete this e-mail immediately.
>> >
>>
>
>

-- 

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/>  
<http://www.virtual-dba.com/> <http://www.virtual-asa.com/>  
<http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>  
<http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>  
<http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you 
believe you have received this e-mail in error, please notify the sender by 
reply e-mail and then delete this e-mail immediately.