ComponentSpace

Forums



IDP (ADFS) Reporting Error during SP InitiateSLO


IDP (ADFS) Reporting Error during SP InitiateSLO

Author
Message
dehallman
dehallman
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Awaiting Activation
Posts: 1, Visits: 15
I'm building an application (Service Provider) that works with an IDP (ADFS based) that I don't control   I set up the saml.config and am successfully logging into my application, having been authenticated by the IDP.   In other words, my AssertionConsumerService.aspx is being called properly.  However, when a user logs out and I call InitateSLO,  I get redirected to an IDP error page.   The owner of the IDP reports the error log entry showing the following type of message related to this error:

   The request specified an Assertion Consumer Service URL 'http://localhost/SAML/AssertionConsumerService.aspx' that is not  configured on the relying party 'https://myspplication.com'.

The metadata entry I provided to the IDP for AssertionConsumerService looks like the following:

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myapplication.com/SAML/AssertionConsumerService.aspx" index="0" isDefault="true" />

My saml.config looks like the following:

<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">

  <ServiceProvider
    Description="MyApplication"
      <LocalCertificates>
        <Certificate FileName="Certificates\myapplication.pfx" Password="myapplicationpassword"/>
      </LocalCertificates>
  </ServiceProvider>

  

  <PartnerIdentityProviders>
    <!-- Web forms example -->
    <PartnerIdentityProvider 
      Description="MyIDP Provider"
      SignAuthnRequest="true"
      SingleSignOnServiceUrl="https://myidp.com/adfs/ls/"
      SingleLogoutServiceUrl="https://myidp.com/adfs/ls/">
      <PartnerCertificates>
        <Certificate FileName="Certificates\MyIDPSigningCert.cer"/>
      </PartnerCertificates>
    </PartnerIdentityProvider>
    
    
    
  </PartnerIdentityProviders>
</SAMLConfiguration>


I'm using the IntiateSLO, so the component is creating the request.  Any thoughts on where the localhost path is coming from in the reported error?   It is not anything the I specified.

Any help would be appreciated?


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
The error about the assertion consumer service URL can occur during SP-initiated SSO rather than SLO. The SAML authn request that's sent when you call SAMLServiceProvider.InitiateSSO includes your assertion consumer service URL. This URL is the <ServiceProvider> AssertionConsunerServiceUrl from your saml.config. Alternatively, there is a SAMLServiceProvider.InitiateSSO overload where you can specify this URL.

ADFS performs a check when processing the SAML authn request. The specified assertion consumer service URL must match one of the URLs configured for your relying party. If it doesn't, it logs the error you see and returns a SAML response with an error status.

When you call SAMLServiceProvider.ReceiveSSO, if the SAML response status isn't success we throw an exception.

Please check that you're not specifying the assertion consumer service URL as a parameter to SAMLServiceProvider.InitiateSSO.

Are you seeing an exception being thrown by SAMLServiceProvider.ReceiveSSO?

For SLO, ADFS requires that the SAML logout messages are signed. 

Please update your saml.config to specify SignLogoutRequest="true" and SignLogoutResponse="true" for your <PartnerIdentityProvider>.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search