14
Views
6
Comments
Facing issue in logout SAML 2.0
Question

Hi,

In my traditional web application implement SSO login using SAML 2.0. But facing issue in Logout, after clicking on logout application redirect me back to application's home page instead of SSO login page. I didn't use IdP component. Below is my application logout flow in LoginInfo block. Please suggest.



While debug this method :

User_GetUnifiedLogoutUrl : "/Users/Logout.aspx?OriginalURL=https%3a%2f%2fapasl-dev.outsystemsenterprise.com%2fSSODemo%2fMainScreen.aspx"

User_GetUnifiedLoginUrl : "/Users/SAMLLogin.aspx?OriginalURL=%2fSSODemo%2f"

Hi Vikas,

I'm assuming that you are following this guide. Is that correct? If so:

  1. Does your IdP supports single logout operations?
  2. Using the browser developers tools, could you capture the network requests when you press the logout button? Make sure to mark "preserve log".

Do you see any redirect requests from the IdP login screen to your application? If single logout is not supported it might be the case that when your flow redirects the user to the IdP login page, it silently redirects back to your app since logout was not performed.

Rank: #440

Hi Ivo,

Thanks for update. First of all yes I followed above mentioned guide. As per your suggestion I checked and you are right. It calls logout then again redirect back to application. Also SAML logout response is failure. 



SAML Logout Response


Need your suggestion, how I can check that IdP support single logout or not ? Or need to make any changes in Users application or logout flow in application. Kindly suggest.

Regards


Rank: #440

Hi Ivo,

I think IdP supports single logout operations. As am able to see the single logout urls in Users application. These urls are populated by federation metadata file.


Please suggest.

Regards

Hi Vikas,

The logout flow seems to be executing but something fails in the process. Does the SAML Logout Response give more details regarding what might be the problem?

Rank: #440

Hi Ivo,

Thanks for update. But as you can see SAML logout response in last reply, I don't think there is much information to be noticed.

I googled little bit about it and find that need to check SAML logout request. Which is below 

<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id_dc3265ae43f943beb647078bfb657404" Version="2.0" IssueInstant="2020-10-09T18:34:04.5706814Z" Destination="https://adanissouat.adani.com/adfs/ls/" NotOnOrAfter="2020-10-09T18:45:04.5706814Z">

    <saml2:Issuer>http://apasl-dev.outsystemsenterprise.com/Users</saml2:Issuer>

    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

        <SignedInfo>

            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

            <Reference URI="#id_dc3265ae43f943beb647078bfb657404">

                <Transforms>

                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

                </Transforms>

                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

                <DigestValue>lYRuUFgeV3+yF718NJsLzrRzQYk=</DigestValue>

            </Reference>

        </SignedInfo>

        <SignatureValue>AYh8XJvuhRe/SIenV2ClHHrnk/FiTLmeRsxWT+i15gio2RGNhHF1G9o8uXbRsHjpzCalaAqSE1Se9hIxMXyq9DnyUhaX1AUgEyHm9CS720zhCUekfz+LS9PWOqLV2mKHjDkiFbOMxipAretJVClyycbESMz918oVx0tUevc+J72h+puQhOFZveyFC2OO1p2OUHFvYMPXc3e9y1lAPAXRMOHGwdJXxtEGpX37kqakbettnjoK7DSJ2M+HH6s7tBe4VJF1RgPOyJEp/2Gb/z4A44yJOGiFRNIqpje3dfWdcsgBPaAor6537s3aiwQ6JmqUKzOtaddUEzBbdE0Lesg40g==</SignatureValue>

        <KeyInfo>

            <X509Data>

                <X509Certificate>MIICoDCCAYigAwIBAgIIOFwgKpKacHAwDQYJKoZIhvcNAQELBQAwEDEOMAwGA1UEAwwFT1NfU1AwHhcNMjAwOTA5MDAwMDAwWhcNMzAwOTA5MDAwMDAwWjAQMQ4wDAYDVQQDDAVPU19TUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIaA1uiDyKZ3jyoo17R3i8SdBRaicbvb5B6nkb6wpAaq1K8LeLTI041WKv+U0vB7WFGYDhyyvaovGPGrmORoxtUkx7IDRBn7welHyJrzE+IG3Hb1a0wwadurLyT5wSkOv5JoAer6hJyWFQs2HfvkwT+CTJfzoY4bXF3dUmqIQvM/WHtJ/Eq1PYMWH0oGz8mu//OE3GtYUg7huDLgN5FLvnsID22wsrXdo6geCdmot1mCKqXra3x7t91/Do/uK3/5Moge5utZ2dT7Ge9gQZS8vO1ZJ25vAFuw8ipbrAFWB65MczPM7ds9d0IoVzSJeKS5+AvM3o0WTbOdIEYyWobsvYsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAF3yZGudRERe+i708BteMV6FLIY8D7bRCVBYlDLujN8EGvjGfy8TOfg63SwgZe/EVGo4Y0ppw1ksiluh+0/OuTCzX4R5gCA6/79lKdHVSpqstGMVi5TWk9uQnEq1Qn68m4HqUw7CmE5wQP8ByQ3+jO5rr8JrEhy1/GJ5nVL2AIdkeapV2Dfta/2XKpC7gpVzOcnPG35ZJSsiVdeRmWFJv0zIQnuTM3IMQwmG/7aeidUVFXhvjkeYZVGFh3/SY+8jCyRhzxj4d9wUCiA3tI6GcNlvG8FgVSi2iNWBHmZ12LbXKO64VaM7xeAvZekPhCRAbQ+EzCNfth8P4GwSlgmO5Eg==</X509Certificate>

            </X509Data>

        </KeyInfo>

    </Signature>

    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ADANI\TestADFS</saml2:NameID>

    <saml2p:SessionIndex>_28f020e0-de19-4f30-80a3-eeaeae0b32a6</saml2p:SessionIndex>

</saml2p:LogoutRequest>


But not able to get any clue from this request. What is wrong with it.

Kindly suggest.

Regards


Hi Vikas,

On the OutSystems side everything seems to be working as expected. I'd recommend you to check the logs on ADFS to check for the root cause why the SAML logout request is failing.