Four Js Development Tools Forum

Discussions by product => GAS and GBC => Topic started by: Jos? V. on November 09, 2023, 05:53:17 pm



Title: SAMLServiceProvider and ADFS
Post by: Jos? V. on November 09, 2023, 05:53:17 pm
I'm currently configuring SAMLServiceProvider for authentication with ADFS Saml and I'm having a bit of trouble with session logout.

I've followed the configuration along the lines of this file with some changes due to version differences:
https://4js.com/files/documents/support/HowTo-SSO-ADFS-Genero.pdf

So far I was able to successfully login and receive claims with the name ID attribute but the problem comes with logout.
When logging out SAMLServiceProvider I get the following error on the ADFS event log:
Quote
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Signout(ProtocolContext context, String redirectUri, List`1 iFrameSignoutUris)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

This came from the following logout request sent by SAMLServiceProvider:
Quote
<fjs1:LogoutRequest xmlns:fjs1="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="_6718E2E7-F6DE-467F-939D-4E2EF3AAD326"
                    Version="2.0"
                    IssueInstant="2023-11-08T17:09:11.70200Z"
                    Destination="https://win-8pv1ngtpfbo.gnr.intra/adfs/ls/"
                    >
    <fjs2:Issuer xmlns:fjs2="urn:oasis:names:tc:SAML:2.0:assertion">urn:genero</fjs2:Issuer>
    <fjs2:NameID xmlns:fjs2="urn:oasis:names:tc:SAML:2.0:assertion"
                 NameQualifier="http://WIN-8PV1NGTPFBO.gnr.intra/adfs/services/trust"
                 Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                 >jcv</fjs2:NameID>
    <fjs1:SessionIndex>_12252e1c-eebd-4e2b-8cc6-3f61c334c40e</fjs1:SessionIndex>
</fjs1:LogoutRequest>

I can't really pinpoint the problem here since ADFS event log isn't really being concrete, but I think the problem is that ADFS requires that the logout request is signed.
I checked the code shipped with FGL 3.20(that I am using) for SAMLServiceProvider and there's no way to sign the logout request other than editing the provided code.

Am I doing something wrong or is there any other problem here that I'm missing??!?

Thank you