[IdP] idP logout

[IdP] idP logout

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

Hello team,

We are using idp connector with Onelogin and we had configured all the parameters that are required.

We were able to sucessfully authenticate with Onelogin and we are trying to logout.So on logout we are coming to the application login screen and when we try to login we are not getting redirected to onelogin login page but instead its getting auto authenticated even though we logged out.

Any help is appreciated?May be we can have a webex session to go over this

Cheers

RajHasti

Hello RajHasti. Was the logout working on previous versions?

For the logout to work, you need to use the IdP_SingleLogout_URL action to retrieve the URL, and then redirect the user into that URL. This URL needs to be configured in the back office and must match the Onelogin's SLO endpoint.

Hello Leonardo,


We did configured in back office and SLO endpoint URL

But it always gives us unable to Proess request


Hi Rajasekhar,

Can you please access to Message Logs screen of the component and check the error message for the logout attempt for further analysis.

Response Id was not previously registered

Hi Rajasekhar,

From your print, for some reason the component was not able to validate the xm response message  (although it seems that were successfully logout from the IdP server).


I would bet on signature validation but you must debug and check it. Set a breakpoint at the beginning of Private/SAML_LogoutResponse_Process and check the output of the call action SAML_ParseLogoutResponse_Ext.


Since it's saml http-redirect, on the browser URL you must also see something like SAMLResponse=...&Signature=.... (for LogoutRequest/Response messages though http-redirect bind, if Signature URL parameter it's not present then for sure it's a validation error and you have to request your IdP server administrator to add the signature on those requests).

Regards.

Hello Telmos,

is there any possibility to have a webex call.We are no where getting this working

Cheers

RajHasti


Hello Telmos,

It seems somehow SLO is not getting triggered.Below URL is never getting invoked

https://horne-dev1.outsystemsenterprise.com/IdP/SLO.jsf and we did configured this URL in OneLogin Configuration mapping to Single Logout URL


Cheers

RajHasti

Hi,

In that case can check two things:

  1. That you have the 3.5.0 version of the component (3.3.0 and 3.4.0 have an issue that prevents to logout correctly on IdP server)
  2. On your end user web application, when you call the IdP_SingleLogout_URL action and redirect the user to that URL, that you DO NOT do a logout on the platform (i.e., call DoLogout/User_Logout systems actions). In the early versions of the component the end user application was responsible to do the logout, but that responsibility now it's on IdP connector side (and ONLY on IdP connector side) 

Regards.


Telmo Martins wrote:

Hi,

In that case can check two things:

  1. That you have the 3.5.0 version of the component (3.3.0 and 3.4.0 have an issue that prevents to logout correctly on IdP server)
  2. On your end user web application, when you call the IdP_SingleLogout_URL action and redirect the user to that URL, that you DO NOT do a logout on the platform (i.e., call DoLogout/User_Logout systems actions). In the early versions of the component the end user application was responsible to do the logout, but that responsibility now it's on IdP connector side (and ONLY on IdP connector side) 

Regards.



Hello Telmos,


1. We upgraded to 3.5.0 version today

2.Also we are calling idP_SingleLogOut_URL Action.Please check attached screenshot


Attachment

Hi, 

it seems fine, in your scenario ../IdP/SLO.jsf should be triggered by one login.

So, if you check for instance the calls made by the browser with debug tools is expected to see something like

  • .../IdP/Logout.jsf
  • <ONE_LOGIN_SLO>
  • /IdP/SLO.jsf
  • ...

Any of this above did not happen? On Saml Message logs screens there are any entry for LogoutRequest and LogoutResponse? What's the information on the popup detail log as the xml for each one?



Attachment for LogoutRequest

Thanks for the reply.Attached is the details for Logout request

Also Telmos we are using this URL for  idp Server Single Logout URL in idpConfiguration

https://horne-llp.onelogin.com/trust/saml2/http-redirect/slo/713072 

Is this correct?

Rajasekhar Hasti wrote:

Also Telmos we are using this URL for  idp Server Single Logout URL in idpConfiguration

https://horne-llp.onelogin.com/trust/saml2/http-redirect/slo/713072 

Is this correct?

Hi Rajasekhar,

You must check it on your IdP one login admin painel.


Regarding the screen shoot above, the xml does not seem right, but not sure due in can be overflow on the screen-shoot. Can you send the LogoutRequest xml message as text. 


Hello Telmos


Here is the logout request xml


<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://horne-llp.onelogin.com/trust/saml2/http-post/slo/713072" ID="id_af917803f0e94fd2997899e37498e8fd" IssueInstant="2017-12-06T18:37:35.623Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/><saml2p:SessionIndex>_5a948760-bce2-0135-9feb-0a41dac6bd3e</saml2p:SessionIndex></saml2p:LogoutRequest>

Hi,
Definitely it does not seem good. For instance the Issuer is empty.

Meanwhile to overcome the issue can you change the SingleLogout bind to HTTP-POST, save it, and try again. The logout endpoint on onelogin can be another, must also be set the one for http-post


hello,

Here is the updated saml logout request with bind Post


<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://horne-llp.onelogin.com/trust/saml2/http-post/slo/713072" ID="id_cbf77d5c04e14eff9f6edf7b9663f8ba" IssueInstant="2017-12-06T19:06:56.972Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/><saml2p:SessionIndex>_5a948760-bce2-0135-9feb-0a41dac6bd3e</saml2p:SessionIndex></saml2p:LogoutRequest>

Hi,

I was checking again and did not found any issue on java stack while creating the Logout message.

Kindly test if on debug mode. Set a breakpoint at the preparation of DoSLOLogout screen on the widget "If success" like the attached print. When it stops at that point, kindly provide the full output of the following actions calls: 

  • SAML_CreateLogoutRequest
  • GetCurrentUserSession
  • GetConfig


Regards.

Hello Telmos.


DoSLOLogout  is never getting called.I am using idoSLO out and configure in idpConfigurations and as well related Onelogin and i am seeing below SAML Logout request


<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://horne-llp.onelogin.com/trust/saml2/http-redirect/slo/713072" ID="id_e7e0e8a6b21b4f908013e617c049c755" IssueInstant="2017-12-06T23:36:34.561Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Outsystems Recipient</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml2p:SessionIndex>_8abe94e0-bd09-0135-5830-0a41dac6bd3e</saml2p:SessionIndex>
</saml2p:LogoutRequest>


Cheers

RajHasti

Hi Rajasekhar,

How is not called? When you want to logout from your application you call the action "IdP_SingleLogout_URL" and then redirect the browser to that URL, right? That URL will send the user to DoSLOLogout.

Regards.

Hello Telmos,

Would you mind let me know what does below statements means in the instructions for logout


IdP Instructions                

) Change Logininfo -> Preparation to redirect the user to the URL provided by IdP Server
 a1) If your IdP Server allows a Logout initiated by the SP through SAML messages: call the action 'IdP_SLO_URL' and call the Common\ExternalURL with its output

Cheers
RajHasti


Hi,

Thats exactly what I said above. On your end user application call IdP_SingleLogout_URL (aka IdP_SLO_URL) and then redirect the user browser to it.

A Logout initiated by the SP is when this IdP conector wants to logout and send a logout saml message (in this case through the users browser) for the single logout idp server endpoint. 

Regards.