与ADFS IdP的单点注销相关的适当LogoutRequest

Question

与ADFS IdP的单点注销相关的适当LogoutRequest

8

我成功地使用了OneLogin Java-SAML库来实现SAML SSO。但是在与Active Directory联合身份验证服务（ADFS）进行单点注销（SLO）时存在问题。该库创建的LogoutRequest被ADFS拒绝，而SimpleSAMLphp IdP却可以接受。在LogoutRequest创建时，我传递了从ADFS在响应中收到的nameId和sessionIndex。

以下是生成的请求和收到的响应：

AuthNRequest：

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" Version="2.0" IssueInstant="2017-05-31T15:43:07Z" ProviderName="My Company Service Provider" Destination="https://wintest.mycompany.test/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost:8443/builder/login_check_sso">
   <saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
   <samlp:RequestedAuthnContext Comparison="exact">
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

响应：

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/builder/login_check_sso" ID="_f5ea3a59-92f9-4b22-aaf0-36ed392df051" InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
      <Issuer>http://wintest.mycompany.test/adfs/services/trust</Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>FNwbMonYZBBvTXSRbCWP7WxZgPZPSCcCFZozok9eRK4=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>fG1SIq3azZfBFQ+5YBBruuCQ03sLIHJ/YpK/AAOYkyJKXEZ5+SvNLgl+8/3a6Tk8mabZmwmawoJRf5UPb+fNtk+CeeWJ7kiUYcb2uvB4ic7Qd4qB+OgfqK0qVCkn9FWGEODLXA6v4tXWBZfSnzDrHEg7xLHrngesSnffY3uyQvH/rm4G2Vjd59LUeUtpJo2X5ZjVuk4sT5r21+UxpNU9LX8z7hXAZHhD1o4d2dqAs21tAGoid3p0RgNDy1WWGh1WSjFLHPDh220ZIchRFKveJE3R9M9nTKtOFESQsYc6TfmhJ5+Xm/j0VY7vvdhgguyq4MKzcPFK6tBL7I8KREck/Q==</ds:SignatureValue>
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
            </ds:X509Data>
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID>hamilton1@mycompany.test</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" NotOnOrAfter="2017-05-31T15:48:10.158Z" Recipient="https://localhost:8443/builder/login_check_sso" />
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2017-05-31T15:43:10.158Z" NotOnOrAfter="2017-05-31T16:43:10.158Z">
         <AudienceRestriction>
            <Audience>http://localhost:4568/sso/saml/metadata</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <AttributeValue>hamilton@mycompany.com</AttributeValue>
         </Attribute>
      </AttributeStatement>
      <AuthnStatement AuthnInstant="2017-05-31T12:18:50.194Z" SessionIndex="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
         <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>

注销请求：

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
   <saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
   <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">hamilton1@mycompany.test</saml:NameID>
   <samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>

登出响应：

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_1b3e8c81-2aba-45be-8fe6-54edda514d51" Version="2.0" IssueInstant="2017-05-31T15:43:24.808Z" Destination="https://localhost:8443/builder/logout_sso" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#_1b3e8c81-2aba-45be-8fe6-54edda514d51">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>NDfLVWPkh2/UCEbLQ6V97OK2u4pajv3aLB9cPs5JkSc=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>M1JaIz/AeJAh1bUzAUBrljch9EVOVA6K3lzuFDWwF0LtmXgcMEZV9Htp9owq5MNcOZ/mymBrKmndz1EDwDxwOCLjpvp5QX42G23dUCyYAGfQXE1Dzub7dsaTSlMWnkbh6fMLk/j5/fcLEi8vwXMInQv6isVpxnbYI+4ayQWOzo9QpfJBaromDDqVwbmkoT8lhRo06n32OAi8CtaAS2rjNqJyPfcnLp3jMpfg5Qh3wiKYnT6VkMpXw5ddVASByKlqzIRiuItwJsqF4JDDj+f2qgSdq6PaTgYpu8xnbFXTdOvDeg0ZgetQrnaZ07+5xLFLGI73feAWPUFPXwMHQ2THXA==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
            <ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
         </ds:X509Data>
      </KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
   </samlp:Status>
</samlp:LogoutResponse>

错误出现在ADFS上: The SAML Single Logout request does not correspond to the logged-in session participant. 具体错误信息如下：

User Action 
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.

如何修改LogoutRequest才能让用户注销？

- Eugene Khyst

不确定这是否能解决您的问题，但是注销请求中的NameID格式应该是SAML:2.0而不是SAML:1.1吗？ - Vbp

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Eugene Khyst · Accepted Answer

好的，问题已经解决。

如您在我发布的SAML响应中所见，NameID元素没有Format属性：

<Subject>
     <NameID>hamilton1@mycompany.test</NameID>
     ...
</Subject>

因此，ADFS希望LogouRequest中的Format属性也将不存在。以下LogoutRequests会导致成功注销：

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
   <saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
   <saml:NameID>hamilton1@mycompany.test</saml:NameID>
   <samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>

如果我在ADFS中将声明发布策略更改为将名称ID映射到电子邮件地址，并使用以下规则：

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

我收到了以下的SAML响应：

<Subject>
     <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">hamilton1@mycompany.test</NameID>
     ...
</Subject>

通过使用格式为urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress的<NameID>发送LogoutRequest，退出成功：

我正在使用版本为2.0.1的java-saml，在Java中执行以下操作，因为LogoutRequest没有接受nameIdFormat的构造函数：https://github.com/onelogin/java-saml/blob/v2.0.1/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java:

LogoutRequest logoutRequest = new LogoutRequest(settings, null, nameId, sessionIndex);
String samlRequestXml = logoutRequest.getLogoutRequestXml();
samlRequestXml = samlRequestXml.replaceAll(" Format=\".+\"", "");

计划新增一个 LogoutRequest 构造函数，该构造函数接受 nameIdFormat 作为参数。更多细节请参见https://github.com/onelogin/java-saml/issues/98。