ComponentSpace

Forums



SAMLServiceProvider.InitiateSLO ignores NameIDFormat set in Configuration


SAMLServiceProvider.InitiateSLO ignores NameIDFormat set in...

Author
Message
thinktime
thinktime
New Member
New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)

Group: Forum Members
Posts: 27, Visits: 144
Hi, on Logout request always used 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' as NameIDFormat, regardless configuration.
1. Before call InitiateSLO, settings screenshot  https://www.screencast.com/t/zDpZmOlBa7
2. XML in OnLogoutRequestSent Observer https://www.screencast.com/t/3WIMpywec

As You can see, the setting is ignored. How to set necessary NameIDFormat?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The NameIDFormat configuration parameter doesn't specify format in the logout request.
The NameID from the SAML assertion is used as the NameID in the logout request.
This is required as per the SAML v2.0 specification.
For example, the SP receives the following SAML assertion.


<saml:Assertion Version="2.0" ID="_aa7124af-1078-4b71-b83c-f2aea2cf88ca"
  IssueInstant="2017-07-06T00:21:52.038Z"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>http://localhost/ExampleIdentityProvider</saml:Issuer>
<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">idp-user</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <saml:SubjectConfirmationData NotOnOrAfter="2017-07-06T00:24:52.039Z"
    Recipient="http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx"
    InResponseTo="_2ef2631b-a8b3-42ed-be2e-0241dfcbb254" />
  </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-07-06T00:18:52.038Z" NotOnOrAfter="2017-07-06T00:24:52.038Z">
  <saml:AudienceRestriction>
  <saml:Audience>http://localhost/ExampleServiceProvider</saml:Audience>
  </saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-07-06T00:21:52.04Z"
  SessionIndex="_aa7124af-1078-4b71-b83c-f2aea2cf88ca">
  <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>



The logout request sent to the IdP includes the exact same NameID.


<samlp:LogoutRequest ID="_34a683b9-3ac2-4429-877e-7135bd37101a" Version="2.0"
  IssueInstant="2017-07-06T00:21:54.153Z"
  Destination="http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx"
  NotOnOrAfter="2017-07-06T00:24:54.153Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  http://localhost/ExampleServiceProvider
</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp-user</saml:NameID>
<samlp:SessionIndex>_aa7124af-1078-4b71-b83c-f2aea2cf88ca</samlp:SessionIndex>
</samlp:LogoutRequest>



As the SP, the NameIDFormat configuration property specifies the NameID policy to include in the SAML authn request sent to the IdP.



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search