ADFS 2.0 SAML注销过程问题 [英] ADFS 2.0 SAML logout process problem

查看:200
本文介绍了ADFS 2.0 SAML注销过程问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Hello

我正在尝试将Web应用程序配置为依赖方(本文后面的app.com)以使用ADFS 2.0(稍后adfs.com)在本文中)作为SSO提供者。单点登录效果很好。单点注销存在问题。它不符合http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf所述的流量
。 

I'm trying to configure a web application as a Relying Party (app.com later in this text) to work with ADFS 2.0 (adfs.com later in this text) as SSO provider. Single sign on works good. There is a problem with single sign out. It does not fulfill the flow described at http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf. 

根据SAML文档,注销应该如下所述:

According to SAML documentation, logout should work as described below:


  1. app.com向adfs.com发起LogoutRequest。
  2. adfs.com确定所有服务提供商(在adfs中 - 依赖方)并向其发送LogoutRequest
  3. 所有SP将LogoutResponse返回到adfs
  4. adfs将LogoutResponse发送给启动的SP注销请求。这应该是我的app.com。

第一个问题是第4步永远不会完成。流程使用adfs的网页完成,并说"您已成功注销。请关闭浏览器......"没有重定向到app.com。

First problem is that step 4 is never done. Process finishes with a webpage from adfs saying "You are successfully logged out. Please close your browser...". No redirect to app.com is performed.

第二个问题是没有实际注销。如果我尝试启动AuthnRequest - 它会返回Success,因此不需要用户身份验证。 

Second problem is that no logout is actually done. If I try to initiate AuthnRequest - it returns Success, so no user authentication is needed. 

我做错了什么?为什么ADFS没有"忘记"注销后的用户?为什么它不会重定向回app.com?

请在下面找到有关我的配置的一些详细信息。

Please, find some details about my configuration below.

ADFS和信赖方配置:

信赖方ID:https://app.com

Relying party id: https://app.com

SAML注销端点:Binding = POST ,URL = https://app.com/samlurl,响应网址=  https://app.com/samlurl

SAML logout endpoint: Binding = POST, URL = https://app.com/samlurl, Response URL = https://app.com/samlurl

SAML断言消费者端点:POST,URL = https:/ /app.com/samlurl

SAML assertion consumer endpoint: POST, URL = https://app.com/samlurl

实际退出流程

1。 POST请求https://adfs.com/adfs/ls/?wa=wsignout1.0。包括具有注销请求的SAMLRequest和RelayState参数。
SAML请求在这里: 

1. POST request to https://adfs.com/adfs/ls/?wa=wsignout1.0. Includes SAMLRequest with logout request and RelayState params. SAML Request is here: 

< saml2p:LogoutRequest Destination =" https://adfs.com/adfs/ls/?wa = wsignout1.0"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; ID =" testuser"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; IssueInstant =" 2015-01-13T13:51:57.978Z"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; NotOnOrAfter =" 2015-01-13T13:56:57.978Z"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;版本=" 2.0"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; xmlns:saml2p =" urn:oasis:names:tc:SAML:2.0:protocol"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; >

  &NBSP; < saml2:Issuer xmlns:saml2 =" urn:oasis:names:tc:SAML:2.0:assertion"> https://app.com< / saml2:Issuer>

  &NBSP; < ds:Signature xmlns:ds =" http://www.w3.org/2000/09/xmldsig#">

  &NBSP; &NBSP; &NBSP; < ds:SignedInfo>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:CanonicalizationMethod Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:SignatureMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:参考URI =" #testuser">

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:转换>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:Transform Algorithm =" http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:Transform Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:转换>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:DigestMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#sha1" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:DigestValue> avalue< / ds:DigestValue>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:参考>

  &NBSP; &NBSP; &NBSP; < / ds:SignedInfo>

  &NBSP; &NBSP; &NBSP; < ds:SignatureValue> avalue< / ds:SignatureValue>

  &NBSP; < / ds:签名>

  &NBSP; < saml2:NameID Format =" urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; SPNameQualifier =" https://app.com"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; xmlns:saml2 =" urn:oasis:names:tc:SAML:2.0:assertion"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; > testuser< / saml2:NameID>

  &NBSP; < saml2p:SessionIndex />
$
< / saml2p:LogoutRequest>

<saml2p:LogoutRequest Destination="https://adfs.com/adfs/ls/?wa=wsignout1.0"
                      ID="testuser"
                      IssueInstant="2015-01-13T13:51:57.978Z"
                      NotOnOrAfter="2015-01-13T13:56:57.978Z"
                      Version="2.0"
                      xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                      >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://app.com</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#testuser">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>avalue</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>avalue</ds:SignatureValue>
    </ds:Signature>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                  SPNameQualifier="https://app.com"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >testuser</saml2:NameID>
    <saml2p:SessionIndex/>
</saml2p:LogoutRequest>

2。 ADFS启动SAML LogoutRequest到https://app.com/samlurl。
这是SAML请求

2. ADFS initiates SAML LogoutRequest to https://app.com/samlurl. Here is SAML request

< samlp:LogoutRequest ID =" _f400b584-58dc-463a-bcc8-eaaf1d5f37e2"

&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   Version =" 2.0"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   IssueInstant =" 2015-01-13T13:09:54.173Z"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   Destination =" https://app.com/samlurl"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   Consent =" urn:oasis:names:tc:SAML:2.0:同意:未指定"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   NotOnOrAfter =" 2015-01-13T13:14:54.172Z"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   xmlns:samlp =" urn:oasis:names:tc:SAML:2.0:protocol"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  >

  &NBSP; < Issuer xmlns =" urn:oasis:names:tc:SAML:2.0:assertion"> https://adfs.com/adfs/services/trust< / Issuer>

  &NBSP; < ds:Signature xmlns:ds =" http://www.w3.org/2000/09/xmldsig#">

  &NBSP; &NBSP; &NBSP; < ds:SignedInfo>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:CanonicalizationMethod Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:SignatureMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:参考URI =" #_ f400b584-58dc-463a-bcc8-eaaf1d5f37e2">

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:转换>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:Transform Algorithm =" http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:Transform Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:转换>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:DigestMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#sha1" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:DigestValue> avalue< / ds:DigestValue>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:参考>

  &NBSP; &NBSP; &NBSP; < / ds:SignedInfo>

  &NBSP; &NBSP; &NBSP; < ds:SignatureValue> avalue< / ds:SignatureValue>

  &NBSP; &NBSP; &NBSP; < KeyInfo xmlns =" http://www.w3.org/2000/09/xmldsig#">

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:X509Data>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:X509Certificate> acertificate< / ds:X509Certificate>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:X509Data>

  &NBSP; &NBSP; &NBSP; < / KeyInfo>

  &NBSP; < / ds:签名>

  &NBSP; < NameID Format =" urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; xmlns =" urn:oasis:names:tc:SAML:2.0:assertion"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; > testuser@domain.name< / NameID>

  &NBSP; < samlp:SessionIndex> _968900dc-be0b-46b8-90d3-1e9742bdf174< / samlp:SessionIndex>

< / samlp:LogoutRequest>

<samlp:LogoutRequest ID="_f400b584-58dc-463a-bcc8-eaaf1d5f37e2"
                     Version="2.0"
                     IssueInstant="2015-01-13T13:09:54.173Z"
                     Destination="https://app.com/samlurl"
                     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                     NotOnOrAfter="2015-01-13T13:14:54.172Z"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://adfs.com/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_f400b584-58dc-463a-bcc8-eaaf1d5f37e2">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>avalue</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>avalue</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>acertificate</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
            xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
            >testuser@domain.name</NameID>
    <samlp:SessionIndex>_968900dc-be0b-46b8-90d3-1e9742bdf174</samlp:SessionIndex>
</samlp:LogoutRequest>

3.SAML LogoutRequest由app.com处理,它返回LogoutResponse https://adfs.com/adfs/ls/?wa=wsignout1。 0。
以下是SAML响应

< saml2p:LogoutResponse目的地=" https://adfs.com/adfs/ls/?wa = wsignout1.0" ;

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   ID =" _03e7546f0000014ae390c56ac0a80115b0a28162"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   InResponseTo =" _f400b584-58dc-463a-bcc8-eaaf1d5f37e2"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   IssueInstant =" 2015-01-13T13:52:03.435Z"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   Version =" 2.0"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   xmlns:saml2p =" urn:oasis:names:tc:SAML:2.0:protocol"

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  >

  &NBSP; < saml2:Issuer xmlns:saml2 =" urn:oasis:names:tc:SAML:2.0:assertion"> https://app.com< / saml2:Issuer>

  &NBSP; < ds:Signature xmlns:ds =" http://www.w3.org/2000/09/xmldsig#">

  &NBSP; &NBSP; &NBSP; < ds:SignedInfo>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:CanonicalizationMethod Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:SignatureMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:参考URI =" #_ 03e7546f0000014ae390c56ac0a80115b0a28162">

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:转换>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:Transform Algorithm =" http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:Transform Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:转换>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:DigestMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#sha1" />

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < ds:DigestValue> avalue< / ds:DigestValue>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; < / ds:参考>

  &NBSP; &NBSP; &NBSP; < / ds:SignedInfo>

  &NBSP; &NBSP; &NBSP; < ds:SignatureValue> avalue< / ds:SignatureValue>

  &NBSP; < / ds:签名>

  &NBSP; < saml2p:状态>

  &NBSP; &NBSP; &NBSP; < saml2p:StatusCode Value =" urn:oasis:names:tc:SAML:2.0:status:Success" />

  &NBSP; < / saml2p:状态>

< / saml2p:LogoutResponse>

<saml2p:LogoutResponse Destination="https://adfs.com/adfs/ls/?wa=wsignout1.0"
                       ID="_03e7546f0000014ae390c56ac0a80115b0a28162"
                       InResponseTo="_f400b584-58dc-463a-bcc8-eaaf1d5f37e2"
                       IssueInstant="2015-01-13T13:52:03.435Z"
                       Version="2.0"
                       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                       >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://app.com</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_03e7546f0000014ae390c56ac0a80115b0a28162">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>avalue</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>avalue</ds:SignatureValue>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
</saml2p:LogoutResponse>

4。 ADFS显示页面 "您已成功注销。请关闭浏览器..."在  https://adfs.com/adfs/ls/?wa = wsignout1.0。

我尝试了wreply参数,但似乎只是被忽略了。

I've tried wreply parameter, but seems it is just ignored.

使用Windows Server 2008 R2 Enterprise和AD FS 2.0。

Using Windows Server 2008 R2 Enterprise and AD FS 2.0.

提前致谢!

推荐答案

您可以在哪里解决问题?我有完全相同的......
Where you able to fix your problem? I'm having the exact same one...


这篇关于ADFS 2.0 SAML注销过程问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆