Hi,
I have problem with SLO. Here are the issues:
- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].
- For Single logout, it never redirect to my login screen/adfslogin screen again.
** we are using Windows server 2016 and adfs v2.0(not azure adfs).
Thanks.
Regards,
Ferry
Issue resolved
Hi Ferry,
I have encountered same issue. May you share how to solve it?
Hi Jessica,
We made the changes to the ADFS Configuration:
Dear Ferry,
Thank for your response.
1. SHA-1 has been updated.
2. The default from ADFS logout
3. May I know where to do "transform the claims rules for NameID to have the format=unspecified instead of empty"? Please advise
Rgds,
Jessica
Best Regards,
May I have screenshot how to dot it? Sorry, I cannot catch your meaning
Thank Ferry.
As the ADFS is owned by my client, may I update the Idp configuration for nameidentifier to be email address and then send them the updated metadata xml to import into their ADFS?
Jessica Lee wrote:
I am not sure whether it works, you can try and monitor the Message Log and if possible ADFS log from ADFS Server. For ours, it was due to the misconfig in ADFS rather than IDP side issue.
in my logout SAML request,
NameID seems to be defined as unspecified
Our previous issue was also due to NameID format not matching(error found on the ADFS server's event log) upon sending the request that is why we have transform claim. As of now did you test? is it working?
Let me ask my client to configure and check ADFS log event to see any hints.
Any update, I will let you know it
May you give me a hand? I haven't any idea whether the setting of ADFS to be correct? Please advise.
You might want to look into this URL on further information of setting the Relying Party claim rules:
https://docs.servicenow.com/bundle/orlando-platform-administration/page/integrate/saml/task/t_ConfigureADFSClaimRules.html
It is not under properties "Accepted Claim" of relying party. when right click on the relying party, instead of choosing properties, choose: Edit Claim Rules. you need to configure tour claim rules under edit claim rules.
I find why to get the 404 error page in SSO since IIS is limited the get querystring in 1024.
Do you know how to change ADFS to SAMLresponse in POST method? OR how to enlarge IlS setting in Outsystems.
Hi Jessica, I've encountered that error recently as well. In order to increase the max query string in Outsystems, you can use the Factory Configuration component to create a shared configuration and apply it to the IdP module.You can find below the shared configuration template:
<?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="xml" indent="yes" encoding="UTF-8"/> <xsl:template match="@*|node()"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:template> <xsl:template match="/configuration/system.webServer/security/requestFiltering"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> <requestLimits maxUrl="3000" maxQueryString="3000"/> </xsl:copy> </xsl:template> </xsl:stylesheet>
On the example, I'm using 3000 chars for the maxURL and 3000 for the QueryString. Feel free to adjust as per your requirements.Regards,
Hi Joao,
Thank for your information. May I know what option I should select?
Hi Jessica, you should use the default web.config_XLS.The first dropdown is only used to select one of the pre-made samples that call pre-fill the configuration if you press the fill button.Regards,
Ferry Sanjaya wrote:
Hi Ferry!
I'm also doing a similar integration :)
Like what you have mentioned, ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout. Using the one without the parameters logs the user out perfectly but we experienced an error MSIS7055 on the logout page from the ADFS. Can I check with you if you had experience any of that during your integration?
Xue Li wrote:
Hi Xueli,
Is your setup connecting to Azure ADFS or Windows Server 2016?
Will you be able to extract more information from ADFS server log for the actual error and also IDP's Transaction Log error for logout?
Hi Xue,
May you share how to solve "we experienced an error MSIS7055 on the logout page from the ADFS " issue?
Thank in advance
Hello Ferry Sanjaya and Jessica Lee,
I am kind of having similar issue on logout.
Tried both the things
* Changed to SHA-1
* Transform claim rules to have format-unspecied.
Still Getting the below error on ADFS on logout:
The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: http://xxx-tst.outsystemsenterprise.com/IdP
Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, NameQualifier: SPNameQualifier: , SPProvidedId:
Logged-in session participants:
Count: 1, [Issuer: http://xxx-tst.outsystemsenterprise.com/IdP, NameID: (Format: , NameQualifier: SPNameQualifier: , SPProvidedId: )]
This request failed.
User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.
I know my Claim transformation has issues, not sure what is the right one?
There was NameId claim mismatch with the format and ADFS logout requests were failing. In case anyone else having similar issue, In my instance EmployeeID was our NameId
1. I needed to set the encryption to SHA-1
2. Create a rule to send LDAP as Claims with all necessary attributes except for NameID as it requires transformation.
3. Since we were using EmployeeId as Name ID and since employeeId was not available in "Transform an incoming claim rule", I had to create custom rule.
4. 2 Custom rules were created :
Extract
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("NAMEID"), query = ";employeeID;{0}", param = c.Value);
Transform:
c:[Type == "NAMEID"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")
5. Set the IDP logout URL to the default one without ?wa=signout1.0
The logout started working after performing the above steps.
I am facing the same logout issues, where can I find the ADFS configuration folder