Sustainsys.Saml2 SLO Logout RequestDenied status error
I need help in implementing Single Logout.I'm able to implement SSO service successfully.But SLO service is not working. I got RequestDenied status code after performing logout on my OWIN based asp.net MVC application.
<saml2p:LogoutRequest
Destination="https://sap-client.accounts.ondemand.com/saml2/idp/slo/sap-client.accounts.ondemand.com"
ID="idb2d655f7174f465696a433c75a717b46" IssueInstant="2019-08-03T02:16:03Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>https://sp.domain.com/Saml2</saml2:Issuer>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2p:SessionIndex>S-SP-6aff8686-a642-4381-8ab3-0f18c6815ffe</saml2p:SessionIndex>
<LogoutResponse Destination="https://sp.domain.com/Saml2/Logout" ID="S0e6a2f99-2517-4326-a8ce-2ede2dfe1bfa" InResponseTo="idb2d655f7174f465696a433c75a717b46" IssueInstant="2019-08-03T02:16:04.933Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
<ns2:Issuer>sap-client.accounts.ondemand.com</ns2:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
</StatusCode>
<StatusMessage>Identity Provider could not process the logout message received.</StatusMessage>
</Status>
Here is Owin log
Sustainsys.Saml2.Owin.Saml2AuthenticationMiddleware Error: 0 : Error in Saml2 for /Saml2/Logout Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: Idp returned status "Requester", indicating that the single logout failed. The local session has been successfully terminated. at Sustainsys.Saml2.WebSso.LogoutCommand.HandleResponse(UnbindResult unbindResult, StoredRequestState storedRequestState, IOptions options, Uri returnUrl) at Sustainsys.Saml2.WebSso.LogoutCommand.Run(HttpRequestData request, String returnPath, IOptions options) at Sustainsys.Saml2.Owin.Saml2AuthenticationHandler.d__4.MoveNext() ProcessId=14888 DateTime=2019-08-04T06:16:22.3060366Z
Thank you in advance.
The Idp returns an error. You should check the logs on the Idp to get more information on why. It might also be worth using SAML dev tools for Chrome to check the actual messages, there might be more status codes embedded in the response.
One reason that this might occur is if you have a long lived session in your application that extends beyond the life time of the Idp session. With owin based applications where the external login session is typically swapped to an application login session this might happen - the session life time limit is lost in the swap done in ExternalLoginCallback.
- Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
- How to configure grails-spring-security-saml plugin version 5.0.0-RC3 for https applications
- AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'
- Why can't I get my ASP.NET web app to work with IT FoxTec SAML?
- How can I watch a package called ITFoxTec and figure out how it's being called?
- Prevent Interactive Login with SAML Azure B2C when User Already Authenticated with OpenID
- What causes a Responder status in a SAML response
- How to validate a SAML token from ADFS 3.0 in an ASP.NET Core Web API
- Mapping SAML Attribute containing True or False to Claim with Boolean Data Type
- SAML2 Submitting XML SAMLRequest value in a form
- Invalid Request Error in sending SamlAuthn Request to IPs Keycloak
- Keycloak: Unique SAML endpoint per SAML Client in the same Realm
- Security concerns with providing SAML metadata on public URL
- Why signature need in SAML request for ADFS?
- More than one IDP for SAML2 login with Sustainsys using .NET Core
- Export local idp/sp metadata separately with ComponentSpace.Saml2 ASP.NET Core
- Why Statements has only getter and can't be set through the only constructor in Saml2Assertion?
- djangosaml2 authenticates user but I get anonymous user in my view
- Configuring SAML2: Bypassing 'InResponseTo' Validation While Retaining Default Settings in OpenSaml4AuthenticationProvider
- itfoxtec-identity-saml2 Assertion Consumer Service Exception
- "Error: An SP-initiated SAML response from *IdP* was received unexpectedly", what could cause this error?
- Use ITfoxtec.Identity.Saml2 to login user
- Unable to lookup idp connection metadata for entityid='http://sp.example.com/sp'
- Spring security SAML : Which lib to create an Identity provider to connect to service provider
- How to generate Identity Provider (IdP) SAML Response in node.js?
- Parsing Same Key Multi Value SAML2 claims using ITfoxtec.Identity.Saml2
- Should I require IdP's to sign SAML2 SSO responses?
- Passing initial query params all the way, in Spring Security OpenID/SAML
- Keycloak IdP SAML 2 Export of XML metdata to an SP
- AWS VPN connection to private network works differently depending on seemingly external factors