djangosaml2
djangosaml2 copied to clipboard
IdentityPython
The SAML logout did not complete properly.
When I try logout, ADFS IDP is returning this error.
I analyzed IDP(Active Directory Federation Service on Windows Server) logs. it is verify signature issue in logs. But already, using same signature for IDP and SDP. I'm success in login but when I try logout on SP, error Please let me know. what is issue? I attached screenshot. Screenshot is ADFS screen after I logout on jangosaml2 project. It is redirecting to ADFS... Please guide.
Well, someone has asked you how you have resolved your problema here
https://github.com/IdentityPython/djangosaml2/issues/348
Would you like to give an hint? Consider this more like a social Exchange 😉
For logout, It depends, we Need to know which logout endpoint the adfs has in its metadata
Yes. I post a solution for issue 348.
Also, SDP and IDP metadata
Service Provider Metadata
<ns0:SingleLogoutService Binding=" urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" https://test.com/saml2/ls/"/> <ns0:SingleLogoutService Binding=" urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://test.com/saml2/ls/post"/>
IDP MetaData
<SingleLogoutService Location="https://idp.com/adfs/ls/" Binding=" urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/><SingleLogoutService Location="https://idp.com/adfs/ls/" Binding=" urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
For logout, It depends, we Need to know which logout endpoint the adfs has in its metadata
Can you please check? logout not working. please guide me, thank you
On Sat, Oct 15, 2022 at 7:23 AM Giuseppe De Marco @.***> wrote:
Well, someone has asked you how you have resolved your problema here
#348 https://github.com/IdentityPython/djangosaml2/issues/348
Would you like to give an hint? Consider this more like a social Exchange 😉
For logout, It depends, we Need to know which logout endpoint the adfs has in its metadata
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1279609864, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4IL75OEMHVF6TLNCBDWDH2PZANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
It seems that the idp has the same endpoint for both post and redirect bindings
[image: image.png]
I got SAML LogoutRequest token from saml tracer. And by using SAML Tokens Tools, I checked token info. As you see screenshot, SAML LogoutReqeust is invalida Signature.
IDP server log error(signature verification failed of logout request) SDP djangosaml2 log( Returning form to the IdP to continue the logout process)
Already, djangosaml2 config file, I set up ('logout_requests_signed': True,). Everything is fine except logout part. Any guide? Please. thank you
On Sun, Oct 16, 2022 at 7:02 PM Giuseppe De Marco @.***> wrote:
It seems that the idp has the same endpoint for both post and redirect bindings
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1279955406, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4KUJV7J6DL3ZU52W3TWDPVG3ANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
I'm not sure why SAML LogoutRequest is not signature from SDP.
Please
On Tue, Oct 18, 2022 at 4:58 PM Xian Cai @.***> wrote:
[image: image.png]
I got SAML LogoutRequest token from saml tracer. And by using SAML Tokens Tools, I checked token info. As you see screenshot, SAML LogoutReqeust is invalida Signature.
IDP server log error(signature verification failed of logout request) SDP djangosaml2 log( Returning form to the IdP to continue the logout process)
Already, djangosaml2 config file, I set up ('logout_requests_signed': True,). Everything is fine except logout part. Any guide? Please. thank you
On Sun, Oct 16, 2022 at 7:02 PM Giuseppe De Marco < @.***> wrote:
It seems that the idp has the same endpoint for both post and redirect bindings
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1279955406, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4KUJV7J6DL3ZU52W3TWDPVG3ANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
Unfortunately. ADFS logout need signed logout request. Already, I tried to disable signature, but ADFS logout need Signed Logout Request. I'm not sure why signed verification is failed. any guide?
On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco @.***> wrote:
you can disable the signature check if you need
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1282421849, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
I think, SAM2 Logout Request will be generated from SP side. but even though, SP Logout Request signature is valid. What is reason? I think, this is djangosaml2 side issue because it is generating saml2 logout request, but signature is not valid after I check saml2 logout request base64 encoded token. Please!
On Wed, Oct 19, 2022 at 1:20 AM Xian Cai @.***> wrote:
Unfortunately. ADFS logout need signed logout request. Already, I tried to disable signature, but ADFS logout need Signed Logout Request. I'm not sure why signed verification is failed. any guide?
On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco < @.***> wrote:
you can disable the signature check if you need
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1282421849, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
Any lucky?
On Wed, Oct 19, 2022 at 1:38 AM Xian Cai @.***> wrote:
I think, SAM2 Logout Request will be generated from SP side. but even though, SP Logout Request signature is valid. What is reason? I think, this is djangosaml2 side issue because it is generating saml2 logout request, but signature is not valid after I check saml2 logout request base64 encoded token. Please!
On Wed, Oct 19, 2022 at 1:20 AM Xian Cai @.***> wrote:
Unfortunately. ADFS logout need signed logout request. Already, I tried to disable signature, but ADFS logout need Signed Logout Request. I'm not sure why signed verification is failed. any guide?
On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco < @.***> wrote:
you can disable the signature check if you need
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1282421849, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
please , can you check email above ticket? thank you
On Wed, Oct 19, 2022 at 11:05 PM Xian Cai @.***> wrote:
Any lucky?
On Wed, Oct 19, 2022 at 1:38 AM Xian Cai @.***> wrote:
I think, SAM2 Logout Request will be generated from SP side. but even though, SP Logout Request signature is valid. What is reason? I think, this is djangosaml2 side issue because it is generating saml2 logout request, but signature is not valid after I check saml2 logout request base64 encoded token. Please!
On Wed, Oct 19, 2022 at 1:20 AM Xian Cai @.***> wrote:
Unfortunately. ADFS logout need signed logout request. Already, I tried to disable signature, but ADFS logout need Signed Logout Request. I'm not sure why signed verification is failed. any guide?
On Tue, Oct 18, 2022 at 8:50 PM Giuseppe De Marco < @.***> wrote:
you can disable the signature check if you need
— Reply to this email directly, view it on GitHub https://github.com/IdentityPython/djangosaml2/issues/353#issuecomment-1282421849, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2TQG4NWZTIGWFWIJNDKC33WD2TLRANCNFSM6AAAAAARFVLD2Q . You are receiving this because you authored the thread.Message ID: @.***>
I think that you should share the IDP metadata here, we should have to check which are the logout endpoints and their binding and then check in djangosaml2 if something should be done