ComponentSpace

Forums



SLO throws an error: "A logout response was unexpectedly received." after upgrade from version...


SLO throws an error: "A logout response was unexpectedly received."...

Author
Message
Milan
Milan
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 20
Hi,
I did upgrade from SAML version 2.8.2.0 to 3.3.0.0 and SLO stopped working for me. 
Locally I have 2 sites one acting as IdP (siteA) and other as SP (siteB). 
I can perform SSO successfully from IdP to SP and vice versa. However, on SLO either from IdP or SP initiated an exception is thrown "A logout response was unexpectedly received."

Here is the flow
  1. Login to IdP
  2. SSO to SP
  3. Successfully logged in to SP
  4. IdP logout user, then send logout request to SP (SAMLIdentityProvider.InitiateSLO)
  5. SP receive SLO, logout user, send SLO response back to IdP (SAMLServiceProvider.SendSLO)
  6. IdP receive SLO response from SP and call to SAMLIdentityProvider.ReceiveSLO and throws an error. (Similarly, when SP initiate SLO, exception is thrown on SAMLServiceProvider.ReceiveSLO, after successfully logged out from SP and IdP)

Single Logout Service URL(s), where the SLO request and response are sent:
IdP: http://siteA.localhost/Saml/IdentityProvider/Logout
SP: http://siteB.localhost/Saml/ServiceProvider/Logout

The configuration for SAML is specified programmatically. Sessions are managed via DB.
I have tried your example projects for 3.3.0.0 and SLO works fine for me there. 

Do you have any suggestions on what might cause the issue?
Thanks!

Milan
Milan
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 20
Milan - 4/15/2019
Hi,
I did upgrade from SAML version 2.8.2.0 to 3.3.0.0 and SLO stopped working for me. 
Locally I have 2 sites one acting as IdP (siteA) and other as SP (siteB). 
I can perform SSO successfully from IdP to SP and vice versa. However, on SLO either from IdP or SP initiated an exception is thrown "A logout response was unexpectedly received."

Here is the flow
  1. Login to IdP
  2. SSO to SP
  3. Successfully logged in to SP
  4. IdP logout user, then send logout request to SP (SAMLIdentityProvider.InitiateSLO)
  5. SP receive SLO, logout user, send SLO response back to IdP (SAMLServiceProvider.SendSLO)
  6. IdP receive SLO response from SP and call to SAMLIdentityProvider.ReceiveSLO and throws an error. (Similarly, when SP initiate SLO, exception is thrown on SAMLServiceProvider.ReceiveSLO, after successfully logged out from SP and IdP)

Single Logout Service URL(s), where the SLO request and response are sent:
IdP: http://siteA.localhost/Saml/IdentityProvider/Logout
SP: http://siteB.localhost/Saml/ServiceProvider/Logout

The configuration for SAML is specified programmatically. Sessions are managed via DB.
I have tried your example projects for 3.3.0.0 and SLO works fine for me there. 

Do you have any suggestions on what might cause the issue?
Thanks!

I found out that setting "DisablePendingLogoutCheck = true" to partner SP and IdP will prevent the exception. But I would like to get to the root of the problem, in production I don't want to set this flag.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It's possible the SAML session state is being cleared and the "pending logout response" status is being lost.
This will be affected by where the SAML session state is stored.
By default we use a separate SAML session cookie but it's also possible to store the SAMLs ession state in the ASP.NET session cookie.
Please enable SAML trace at both your IdP and SP and send the log files as email attachments to [email protected] mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the logs include the successful SSO and failing SLO.

Regards
ComponentSpace Development
Milan
Milan
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 20
ComponentSpace - 4/15/2019
It's possible the SAML session state is being cleared and the "pending logout response" status is being lost.
This will be affected by where the SAML session state is stored.
By default we use a separate SAML session cookie but it's also possible to store the SAMLs ession state in the ASP.NET session cookie.
Please enable SAML trace at both your IdP and SP and send the log files as email attachments to [email protected] mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please ensure the logs include the successful SSO and failing SLO.

Hi, thank you I sent traces to the support email. 
I am using custom implementation of SSOSessionStore to store sessions into DB. I tried to change the implementation to use cookies and then it worked as expected.

Please find bellow implementation of SSOSessionStore:

class SamlSessionStore : AbstractSSOSessionStore
{
   public override void Delete(Type type)
   {

   }

   public SamlSessionStore()
   {
      SessionIDDelegate = () => SessionHelper.SamlSessionId;
   }

   public override object Load(Type type)
   {
      var sessionObjectKey = CreateSessionIDForType(type);

      var sessionObject = AMSqlHelper.ExecuteScalar(
        CurrentInstanceHelper.InstanceConnStr,
        CommandType.Text,
        "SELECT [SessionObject] FROM [SSOSessions] WHERE [SessionID] = @sessionId",
        new[]
        {
           new SqlParameter("@sessionId", sessionObjectKey)
        });


      return sessionObject == null ? null : Deserialize((byte[])sessionObject);
   }

   public override void Save(object ssoSession)
   {
      var sessionObjectKey = CreateSessionIDForType(ssoSession.GetType());

      AMSqlHelper.ExecuteNonQuery(
        CurrentInstanceHelper.InstanceConnStr,
        "saml_SaveSession",
        sessionObjectKey,
        Serialize(ssoSession)
      );
   }
}


SSOSessions table then looks like as follows after successful SSO and failed SLO
IdP SSOSessions


SP SSOSessions


Thank you.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thank you. I've replied to your email.

Regards
ComponentSpace Development
Milan
Milan
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 4, Visits: 20
ComponentSpace - 4/16/2019
Thank you. I've replied to your email.

Thank you for working it out via email. 
I use ISAMLObserver to listen to SAML events (message sent, received, etc.), older implementation used AbstractSAMLObserver. The problem was in my Observer object which cased error, which failed silently, during InitiateSLO. This resulted in session state being not up to date and on ReceiveSLO throwing the error.
Best Regards, Milan
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks Milan for the update and sharing.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search