[IdP] [IdP] Single Signout - Can't sign out

Forge Component
(39)
Published on 4 Nov by Telmo Martins
39 votes
Published on 4 Nov by Telmo Martins

I am using the IdP component and was able to successfully configure the Single Sign-on part. I just followed the configuration but I can't logout from the application or in Okta using the single sign out. The splash screen telling that I am being logged out is shown but I always get back into the originating application.

Debugging the main app, after the IdP_SingleLogout_URL action, I was redirected to the No Permission where the IdP_SSO_URL is in so I again was logged in.

Any hints on what I need to check?

Checked that I have not made valid Logout Responses

<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse Destination="https://pordmweb01/Idp/SLO.aspx" ID="id42097145263360681942374689" InResponseTo="id_b2edbf2816544999878e0a54f9f59e4e" IssueInstant="2019-09-11T15:31:59.569Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk1bm6wejLuzSxQZ357</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id42097145263360681942374689"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nCbevYV6U1mVP6t+DnarssmjtzA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>W/azWdvHjFD0QwpKQJSNOKSLgxE2fhb66OsdmuEjDZFJisCvbhmPSpQIB3gnTy9YtAhX5Cy1o58VG//UhpZ+VXLllTjyN21S5jAAZqBW1QV3verC3BjPEcq82M8708S4vIBANZc2Xjds/HViu7qy070GAiCa0wA4lgAnIPKm8e1DtcBVx9DKclyIWKuGHmmUj8erGUhsHfeb8AwDqNNVR8v/s/f5X2VTkvnu3GP9DgNheJQBPilJ/rzWUS6DdlwktCnOji8Y9H6fsk6Tn0pTCJxOA/d/YbNYOlgw/DaBYGBB4AZzmdkWh8p6ogGNTA5qf8NKolfijKQ8WKLDn47FxQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID0DCCArigAwIBAgIGAW0X3cg9MA0GCSqGSIb3DQEBCwUAMIGoMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxKTAnBgNVBAMMIGNsb3VkZGV2ZWxvcG1lbnRyZXNvdXJjZXMt
Y2hlZXNlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTE5MDkwOTIxMTAxM1oXDTI5
MDkwOTIxMTExM1owgagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEpMCcG
A1UEAwwgY2xvdWRkZXZlbG9wbWVudHJlc291cmNlcy1jaGVlc2UxHDAaBgkqhkiG9w0BCQEWDWlu
Zm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNYOCw5qcUFX3tGZF8
KkEDYQsx9If7SYyUdb2vhml09fbN/oEgOxPmraWhbPhQinQsHXtarbumFogZATeuzaHBm5VxQzHO
G9cTyhE3PNfndU6nuhltRn2ERG2yX3cv716gyziiTdQvUknw9zdwRtsYtNEr4S0EVF5QhFSdivB2
L/jBK1kyvLWG+eh2p7or1z5+4a3vdZI3ofcCma2angX7ODdn2gbSXSV7zvoDFA3vvsMnaNyEVSUG
m0NOo37T2SZpf4EG8UNzSPONWBA0/wPdl2Z4q9x3yaWPGNJ9NLFdByFjsJ8i/gLweVs1OSftCYND
FmwEc5Qv8jZmpzrftZrFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHOqPuR8G2nVhIirp/wuLzXO
hbSCOJdBMIy6mh+THaLDaFGCvIVBRtRGC4Zo1UaCoU8Ur5T4Y80i27j3LY9y0gFdKzHPngQj13OZ
vSr1faSTCOsvz2rp21AS9/COizvoMgRr6DdKvX9+6pAtAW999ApRDLTIOPbC7Eq050hE76H2rh1H
mU98chf6m80dTTgIOYZJnrnw9VhkqB0lR7ogPAE/IWsJFV9OcPRhutUqGwyKgSsz/aRrE/Adigo4
Dvuo/cTqYQdU6OmISkaKQ4HMjNlW5L9ofP7ksM2p/hkjk4VV9g8st9gzYioywbvTMvSkgib+NZYO
Oioat5Jc05mxrHo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>

So I was able to finally "logout" from the application by putting the "server/app/login.aspx" on the OriginalURL parameter of the IdP_SSO_URL. I was putting the emphasis on the logout because since I didn't really trigger a user_logout from the application, I think I am still on it. Plus, I am in the impression that when I made a request for a Single Logout, I will be logged out as well in Okta. Is this impression correct? Or do the user really need to logout as well manually in Okta after logging out of OutSystems?

After more debugging I found that I was not indeed logged out because of an error in the response and it says:

"Request timestamp not valid"

What do I need to look to for this.

I tried to debug this again and what happened?

Success false with no errors :(

Hi Juan,

with debug if you take much time to reach the code that will actually process the xml message you'll get that error.

For some reason okta didn't recognized the LogoutRequest as valid, usually it's due the incorrect configured certificate.

Meanwhile did you overcome this issue?

Regards.

Telmo Martins wrote:

Hi Juan,

with debug if you take much time to reach the code that will actually process the xml message you'll get that error.

For some reason okta didn't recognized the LogoutRequest as valid, usually it's due the incorrect configured certificate.

Meanwhile did you overcome this issue?

Regards.


Hi Telmo,

I am still able to overcome this issue. Luckily, we aren't pursuing as of the moment the integration to Okta. I can still work on this just to make it happen, however, I don't know where to start since there is no error message.

On your response, can you clarify a bit on (and what to further check):

- if you take much time to reach the code that will actually process the xml message you'll get that error.

- it's due the incorrect configured certificate.

Regards,

JC

Hello,

We are facing a similar error but with ADFS configuration.

The login and logout seams to be working fine, but when we send a new Authrequest to the ADFS (after the process of the LogoutResponse) the user is login with no need of the user credentials in ADFS.

Something is wrong with the LogoutResponse because if we check the Saml Messages Logs the SAML is mark as Invalid but woth no Validation Error.

After checking the code we change the following aspect:

  • The configurated "SP metadata xml" set the nameid-format to "transient" to:

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

, but the method SAMS_CreateLogoutRequest was setting automatically to:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

So we change it according to the XML. After this change ADFS send an error when making the request of logout, with the following error:

System.Security.Cryptography.CryptographicException: ID6018: Digest verification failed for reference '#id_bd2e6b6913d8490db71e62d33f8bd3dc'.

   at Microsoft.IdentityModel.Protocols.XmlSignature.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

   at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

   at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidity(String id, Object resolvedXmlSource)

   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

   at System.Xml.XmlReader.ReadEndElement()

   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)

   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)

   at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)

   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)

Could you give me a hand? We use the "Auto generate KeyStore" button in the SP Connector settings, if this help...

Thanks in advance



Hi Juan,

From OKTA's perspective what was the certificate that you configured on OKTA admin console to validate the logout messages signature sent by this IdP connector?

Sometimes the server clocks are not completely in sync (which it's a requirement for saml protocol). Having that in mind the IdP component already has a Site property called "TimespanThresholdOutMessages" (default to 0). Try to set it's value for instance to 60. It means that the OS server and OKTA server can have they internal clocks out of sync in the max of 60 secs (plus network latency).


Regards.

Telmo Martins wrote:

Hi Juan,

From OKTA's perspective what was the certificate that you configured on OKTA admin console to validate the logout messages signature sent by this IdP connector?

Sometimes the server clocks are not completely in sync (which it's a requirement for saml protocol). Having that in mind the IdP component already has a Site property called "TimespanThresholdOutMessages" (default to 0). Try to set it's value for instance to 60. It means that the OS server and OKTA server can have they internal clocks out of sync in the max of 60 secs (plus network latency).


Regards.

Hi Telmo,

Will have to try that one out. For now, the company is yet to identify what IdP to purchase. :D

Cheers,

JC