-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The SAML logout did not complete properly. #353
Comments
Well, someone has asked you how you have resolved your problema here Would you like to give an hint? For logout, It depends, we Need to know which logout endpoint the adfs has in its metadata |
Yes. I post a solution for issue 348.
Also, SDP and IDP metadata
Service Provider Metadata
<ns0:SingleLogoutService Binding="
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://test.com/saml2/ls/"/>
<ns0:SingleLogoutService Binding="
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://test.com/saml2/ls/post"/>
IDP MetaData
<SingleLogoutService Location="https://idp.com/adfs/ls/" Binding="
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/><SingleLogoutService
Location="https://idp.com/adfs/ls/" Binding="
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
For logout, It depends, we Need to know which logout endpoint the adfs has
in its metadata
Can you please check?
logout not working. please guide me, thank you
…On Sat, Oct 15, 2022 at 7:23 AM Giuseppe De Marco ***@***.***> wrote:
Well, someone has asked you how you have resolved your problema here
#348 <#348>
Would you like to give an hint?
Consider this more like a social Exchange 😉
For logout, It depends, we Need to know which logout endpoint the adfs has
in its metadata
—
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2TQG4IL75OEMHVF6TLNCBDWDH2PZANCNFSM6AAAAAARFVLD2Q>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
It seems that the idp has the same endpoint for both post and redirect bindings |
[image: image.png]
I got SAML LogoutRequest token from saml tracer.
And by using SAML Tokens Tools, I checked token info.
As you see screenshot, SAML LogoutReqeust is invalida Signature.
IDP server log error(signature verification failed of logout request)
SDP djangosaml2 log( Returning form to the IdP to continue the logout
process)
Already, djangosaml2 config file, I set up ('logout_requests_signed':
True,).
Everything is fine except logout part.
Any guide?
Please. thank you
…On Sun, Oct 16, 2022 at 7:02 PM Giuseppe De Marco ***@***.***> wrote:
It seems that the idp has the same endpoint for both post and redirect
bindings
—
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2TQG4KUJV7J6DL3ZU52W3TWDPVG3ANCNFSM6AAAAAARFVLD2Q>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I'm not sure why SAML LogoutRequest is not signature from SDP.
Please
…On Tue, Oct 18, 2022 at 4:58 PM Xian Cai ***@***.***> wrote:
[image: image.png]
I got SAML LogoutRequest token from saml tracer.
And by using SAML Tokens Tools, I checked token info.
As you see screenshot, SAML LogoutReqeust is invalida Signature.
IDP server log error(signature verification failed of logout request)
SDP djangosaml2 log( Returning form to the IdP to continue the logout
process)
Already, djangosaml2 config file, I set up ('logout_requests_signed':
True,).
Everything is fine except logout part.
Any guide?
Please. thank you
On Sun, Oct 16, 2022 at 7:02 PM Giuseppe De Marco <
***@***.***> wrote:
> It seems that the idp has the same endpoint for both post and redirect
> bindings
>
> —
> Reply to this email directly, view it on GitHub
> <#353 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/A2TQG4KUJV7J6DL3ZU52W3TWDPVG3ANCNFSM6AAAAAARFVLD2Q>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
you can disable the signature check if you need |
Unfortunately. ADFS logout need signed logout request.
Already, I tried to disable signature, but ADFS logout need Signed Logout
Request.
I'm not sure why signed verification is failed.
any guide?
…On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco ***@***.***> wrote:
you can disable the signature check if you need
—
Reply to this email directly, view it on GitHub
<#353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I think, SAM2 Logout Request will be generated from SP side.
but even though, SP Logout Request signature is valid.
What is reason?
I think, this is djangosaml2 side issue because it is generating saml2
logout request, but signature is not valid after I check saml2 logout
request base64 encoded token.
Please!
…On Wed, Oct 19, 2022 at 1:20 AM Xian Cai ***@***.***> wrote:
Unfortunately. ADFS logout need signed logout request.
Already, I tried to disable signature, but ADFS logout need Signed Logout
Request.
I'm not sure why signed verification is failed.
any guide?
On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco <
***@***.***> wrote:
> you can disable the signature check if you need
>
> —
> Reply to this email directly, view it on GitHub
> <#353 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
Any lucky?
…On Wed, Oct 19, 2022 at 1:38 AM Xian Cai ***@***.***> wrote:
I think, SAM2 Logout Request will be generated from SP side.
but even though, SP Logout Request signature is valid.
What is reason?
I think, this is djangosaml2 side issue because it is generating saml2
logout request, but signature is not valid after I check saml2 logout
request base64 encoded token.
Please!
On Wed, Oct 19, 2022 at 1:20 AM Xian Cai ***@***.***> wrote:
> Unfortunately. ADFS logout need signed logout request.
> Already, I tried to disable signature, but ADFS logout need Signed Logout
> Request.
> I'm not sure why signed verification is failed.
> any guide?
>
> On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco <
> ***@***.***> wrote:
>
>> you can disable the signature check if you need
>>
>> —
>> Reply to this email directly, view it on GitHub
>> <#353 (comment)>,
>> or unsubscribe
>> <https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q>
>> .
>> You are receiving this because you authored the thread.Message ID:
>> ***@***.***>
>>
>
|
please , can you check email above ticket?
thank you
…On Wed, Oct 19, 2022 at 11:05 PM Xian Cai ***@***.***> wrote:
Any lucky?
On Wed, Oct 19, 2022 at 1:38 AM Xian Cai ***@***.***> wrote:
> I think, SAM2 Logout Request will be generated from SP side.
> but even though, SP Logout Request signature is valid.
> What is reason?
> I think, this is djangosaml2 side issue because it is generating saml2
> logout request, but signature is not valid after I check saml2 logout
> request base64 encoded token.
> Please!
>
>
> On Wed, Oct 19, 2022 at 1:20 AM Xian Cai ***@***.***> wrote:
>
>> Unfortunately. ADFS logout need signed logout request.
>> Already, I tried to disable signature, but ADFS logout need Signed
>> Logout Request.
>> I'm not sure why signed verification is failed.
>> any guide?
>>
>> On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco <
>> ***@***.***> wrote:
>>
>>> you can disable the signature check if you need
>>>
>>> —
>>> Reply to this email directly, view it on GitHub
>>> <#353 (comment)>,
>>> or unsubscribe
>>> <https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q>
>>> .
>>> You are receiving this because you authored the thread.Message ID:
>>> ***@***.***>
>>>
>>
|
I think that you should share the IDP metadata here, we should have to check which are the logout endpoints and their binding and then check in djangosaml2 if something should be done |
When I try logout, ADFS IDP is returning this error.
I analyzed IDP(Active Directory Federation Service on Windows Server) logs.
it is verify signature issue in logs.
But already, using same signature for IDP and SDP.
I'm success in login but when I try logout on SP, error
Please let me know. what is issue?
I attached screenshot.
Screenshot is ADFS screen after I logout on jangosaml2 project.
It is redirecting to ADFS...
Please guide.
The text was updated successfully, but these errors were encountered: