ComponentSpace

Forums



Error on Single Log Out - A logout response was unexpectedly received


Error on Single Log Out - A logout response was unexpectedly received

Author
Message
jamie.burns
jamie.burns
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 22
Hey,

So, I've downloaded the sample MvcExampleIdentityProvider/MvcExampleServiceProvider projects, and managed to get them running locally, which is great.

I've tried to hook up an existing application as the identity provider, so I pointed the MvcExampleServiceProvider to use the existing app, but I can't seem to get the configuration right.

In MvcExampleServiceProvider, I've got this in saml.config -

<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
<ServiceProvider Name="http://external
-web.devmachine.com"
       AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService"
       LocalCertificateFile="sp.pfx"
       LocalCertificatePassword="password"/>
<PartnerIdentityProvider Name="http://external-web.devmachine.com"
         SignAuthnRequest="false"
         WantSAMLResponseSigned="true"
         WantAssertionSigned="false"
         WantAssertionEncrypted="false"
         SingleSignOnServiceUrl="http://external-web.devmachine.com/SAML/SSOService"
         SingleLogoutServiceUrl="http://external-web.devmachine.com/SAML/SLOService"
         PartnerCertificateFile="idp.cer"/>
</SAMLConfiguration>


And in the web.config, I have -

<add key="PartnerIdP" value="http://external-web.devmachine.com"/>

Now, in external-web.devmachine.com (the identity provider), I have this in my saml.config -

<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
<IdentityProvider Name="http://external-web.devmachine.com"
       LocalCertificateFile="idp.pfx"
       LocalCertificatePassword="password"/>
<PartnerServiceProvider Name="http://external-web.devmachine.com"
         WantAuthnRequestSigned="false"
         SignSAMLResponse="true"
         SignAssertion="false"
         EncryptAssertion="false"
         AssertionConsumerServiceUrl="http://external-web.devmachine.com/SAML/AssertionConsumerService"
         SingleLogoutServiceUrl="http://external-web.devmachine.com/SAML/SLOService"
         PartnerCertificateFile="sp.cer"/>
</SAMLConfiguration>

Now, I can log in fine if I go to the service provider - it redirects to external-web, authenticates and redirects back.  It all looks fine.

But, when I try to log out, it seems the SLOService in external-web is called twice.  The first, the log out works correctly.  The second time it is called, this error is thrown -

A logout response was unexpectedly received. Stack Trace: at ComponentSpace.SAML2.AbstractSAMLProvider.ProcessLogoutResponse(HttpRequestBase httpRequest, XmlElement logoutResponseElement, String signatureAlgorithm, String signature) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\AbstractSAMLProvider.cs:line 387...

What is going wrong here?  The only thing I can guess is that because the Identity Provider is listed as a PartnerServiceProvider within itself, it is trying to log out that service (not realising that it is itself).  But if I remove that provider from the list, I cannot log in, as I get this error -

No partner service providers have been configured Stack Trace: at ComponentSpace.SAML2.Configuration.SAMLConfiguration.GetPartnerServiceProvider(String name) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Configuration\SAMLConfiguration.cs:line 669 at ComponentSpace.SAML2.InternalSAMLIdentityProvider.ReceiveSSO(HttpRequestBase httpRequest, String& partnerSP, SSOOptions& ssoOptions) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLIdentityProvider.cs:line 732...

Any ideas would be appreciated!
Tags
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Jamie
I think part of the confusion is that the identity provider and service provider have the same name. You should specify different names for these.
If you take a look at the MvcExampleIdentityProvider's saml.config it includes:

 <IdentityProvider Name="http://localhost/MvcExampleIdentityProvider"
                    LocalCertificateFile="idp.pfx"
                    LocalCertificatePassword="password"/>

  <!-- Web forms example -->
  <PartnerServiceProvider Name="http://localhost/ExampleServiceProvider"
                          WantAuthnRequestSigned="false"
                          SignSAMLResponse="true"
                          SignAssertion="false"
                          EncryptAssertion="false"
                          AssertionConsumerServiceUrl="http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx"
                          SingleLogoutServiceUrl="http://localhost/ExampleServiceProvider/SAML/SLOService.aspx"
                          PartnerCertificateFile="sp.cer"/>


And the MvcExampleServiceProvider's saml.config includes:

  <ServiceProvider Name="http://localhost/MvcExampleServiceProvider"
                   AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService"
                   LocalCertificateFile="sp.pfx"
                   LocalCertificatePassword="password"/>

  <!-- Web forms example -->
  <PartnerIdentityProvider Name="http://localhost/ExampleIdentityProvider"
                           SignAuthnRequest="false"
                           WantSAMLResponseSigned="true"
                           WantAssertionSigned="false"
                           WantAssertionEncrypted="false"
                           SingleSignOnServiceUrl="http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx"
                           SingleLogoutServiceUrl="http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx"
                           PartnerCertificateFile="idp.cer"/>


Notice that the identity provider and service provider have unique names. Also note that the SingleLogoutServiceUrl is different for the identity provider and service provider.
Please try changing the names in your saml.config files to make them unique.
Also, ensure that the identity provider and service provider have unique URLs for their single logout services.
If there's still an issue, please enable SAML trace for both applications and send the log files as email attachments to [email protected] mentioning this topic. Also include your two saml.config files.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace





Regards
ComponentSpace Development
jamie.burns
jamie.burns
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 22
Yup, that did the trick.  Knew it would be something simple like that.  Thanks for your help!
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search