[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAML LogoutResponse elements are out of order



Hi Sampo / users,

I still couldn't get the login working. However I did trigger the logout
from the IDP, and the ZXID SP was able to send a LogoutResponse but that
response still had the "Status" element before the "Issuer".

Is that still an issue with the v 1.18?

Regards,

Karthik

On Fri, Jun 20, 2014 at 3:02 PM, Karthik Sudarshan <ksudarshan@xxxxxxxxxx>
wrote:

> Hi Sampo,
>
> I tried with version 1.18, but I am facing hurdles in getting the login
> working itself !
>
> I took the following steps:
>
>    1. I download the zxid-1.18.tgz and did the gunzip and untar to get
>    the zxid-1.18 directory.
>    2. I did the "sudo make apachezxid", and it went through neatly and
>    created the mod_auth_saml.so file.
>    3. sudo make apachezxid_install initially did not work, but I manually
>    copied the mod_auth_saml.so into the modules of apache2
>    4. I took a backup of my zxid.conf and removed the /var/zxid directory.
>    5. Retried sudo make apachezxid_install to create the /var/zxid
>    directory structure.
>    6. Copied back the old zxid.conf to /var/zxid
>    7. Restarted the apache server
>    8. Accessed the /protected/saml?o=B to get the SAML metadata.
>    9. I reconfigured the CoT by removing the contents of /var/zxid/cot
>    directory and getting the metadata of my IDP running the zxcot -g
>    <metadataURL> and this configured the CoT successfully.
>    10. After this I accessed my test application's url (which is
>    protected by saml), and it showed the IDP selection page.
>       1. This was the first red flag as I had given the
>       DEFAULTQS=l0<IDP>=1 and it worked previously on v 1.16, but not on v 1.18
>    11. So I selected the only IDP entry in the drop down and was
>    displayed the IDP's login page. After successfully logging in to IDP, I got
>    the redirection to my original url, but it started displaying the IDP
>    selection page again.
>
> I used the SAML Tracer in Firefox to check the choreography, and it looks
> like the IDP is sending a proper AuthnResponse, and this used to work with
> v 1.16. But the session is not getting created on the Zxid level, which was
> apparent when the ZXIDSES cookie was not created in the cookies.
>
> So I've two questions:
>
>    1. I really am happy with the way v 1.16 is working, so is there a way
>    that the bug fix for the logout response be ported back to v 1.16? Or is it
>    simple enough that I can do it for my version (with your guidance, of
>    course)?
>    2. Is there anything that is drastically different in v 1.18 that I am
>    facing these issues? (maybe missing some configuration or is a
>    configuration name changed?)
>
> Again, any help would be greatly appreciated. We have the whole
> application working, but are facing this hurdle in the final step of logout!
>
> Regards,
> Karthik
>
> On Thu, Jun 19, 2014 at 9:49 AM, Karthik Sudarshan <ksudarshan@xxxxxxxxxx>
> wrote:
>
>> Hi Sampo,
>>
>> Thanks for the reply. I'll try it out on  v 1.18, and let you know.
>>
>> Regards,
>> Karthik
>>
>>
>> On Thu, Jun 19, 2014 at 7:16 AM, <sampo@xxxxxxxxx> wrote:
>>
>>> Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
>>> > Hi all,
>>> >
>>> > I'm using ZXID v1.16 with mod_auth_saml Apache plugin. The IDP is
>>> ADFS. The
>>> > authn request processing has been successful. But when the IDP
>>> initiates
>>> > the logout request and the ZXID library sends the LogoutResponse, ADFS
>>> is
>>> > unable to parse the request.
>>> >
>>> > One of the causes could be that the <Issuer> element is after the
>>> <Status>
>>> > element.
>>> >
>>> > A sample LogoutResponse id below:
>>> >
>>> > <sp:LogoutResponse xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
>>> >
>>> >                    Destination="destinationURL"
>>> >
>>> >                    InResponseTo="requestId"
>>> >
>>> >                    IssueInstant="time"
>>> >
>>> >                    Version="2.0"
>>> >
>>> >                    ID="responseId"
>>> >
>>> >                    >
>>> >
>>> >     <sp:Status>
>>> >
>>> >         <sp:StatusCode
>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>> >
>>> >     </sp:Status>
>>> >
>>> >     <sa:Issuer
>>> >
>>> xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">issuerEntityId</sa:Issuer>
>>> >
>>> > </sp:LogoutResponse>
>>>
>>> Yes, thist is a bug with 1.16. Have you tried 1.18?
>>>
>>> Cheers,
>>> --Sampo
>>>
>>> > The SAML specification xsd has this definition for the ResponseType
>>> complex
>>> > type:
>>> >
>>> >
>>> > <complexType name="StatusResponseType">
>>> > <sequence>
>>> > <element ref="saml:Issuer" minOccurs="0"/>
>>> > <element ref="ds:Signature" minOccurs="0"/>
>>> > <element ref="samlp:Extensions" minOccurs="0"/>
>>> > <element ref="samlp:Status"/>
>>> > </sequence>
>>> > <attribute name="ID" type="ID" use="required"/>
>>> > <attribute name="InResponseTo" type="NCName" use="optional"/>
>>> > <attribute name="Version" type="string" use="required"/>
>>> > <attribute name="IssueInstant" type="dateTime" use="required"/>
>>> > <attribute name="Destination" type="anyURI" use="optional"/>
>>> > <attribute name="Consent" type="anyURI" use="optional"/>
>>> > </complexType>
>>> >
>>> > What is the best way to ensure that the xsd is followed in the
>>> response? I
>>> > saw the http://www.zxid.org/html/zxid-raw.html talks about "Encoding
>>> in
>>> > schema order" and "Encoding in wire order", but I am not sure if there
>>> is a
>>> > configuration that can achieve this.
>>> >
>>> > Any help with this would be greatly appreciated.
>>> >
>>> >
>>> > Regards,
>>> > Karthik
>>> >
>>> > --
>>> >
>>> > ------------------------------
>>> > <http://www.xtivia.com>  <http://www.virtual-dba.com/>
>>> > <http://www.virtual-dba.com/> <http://www.virtual-asa.com/>
>>> > <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>
>>> > <http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>
>>> > <http://www.xtivia.com/resources/webinars>
>>> > *Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
>>> > ------------------------------
>>> > This e-mail may contain confidential or privileged information. If you
>>> > believe you have received this e-mail in error, please notify the
>>> sender by
>>> > reply e-mail and then delete this e-mail immediately.
>>> >
>>>
>>
>>
>

-- 

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/>  
<http://www.virtual-dba.com/> <http://www.virtual-asa.com/>  
<http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia>  
<http://www.linkedin.com/company/xtivia>  <http://blogs.xtivia.com>  
<http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you 
believe you have received this e-mail in error, please notify the sender by 
reply e-mail and then delete this e-mail immediately.