【问题标题】:ADFS 2.0 SAML LogoutADFS 2.0 SAML 注销
【发布时间】:2016-04-14 15:07:53
【问题描述】:

这是从我的 SP 发送到 IDP 的 saml 注销请求,我没有收到任何错误,但是当我尝试重新登录到我的 SP 时,它仍然有我的 IDP cookie/会话。有人可以解释我在此 SAML 注销中做错了什么吗?

<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                  ID="_47a182d3-2a7b-46e0-9461-22c636e00b96"
                  Version="2.0"
                  Destination="https://auth.catalystapi.com/adfs/ls"
                  IssueInstant="2016-04-14T10:47:51Z"
                  >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:7443/</saml2:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
             Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             >msmith@catalystapi.com</saml:NameID>
<saml2p:SessionIndex>_f28d3fca-b2d6-4912-adf9-a9dde4565f0b</saml2p:SessionIndex>

<samlp:LogoutResponse ID="_d726a1e0-5863-4722-be66-e3109afa9cb8"
                  Version="2.0"
                  IssueInstant="2016-04-14T14:48:14.152Z"
                  Destination="https://auth.catalystapi.com/adfs/ls/?wa=wsignout1.0"
                  Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                  InResponseTo="_47a182d3-2a7b-46e0-9461-22c636e00b96"
                  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                  >
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.CatalystApi.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference URI="#_d726a1e0-5863-4722-be66-e3109afa9cb8">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>HXwA60Qo/Xnq9elhhPJVuiSsbbQ=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>ekxYz56VU37Vv9RZsZQMFS6f3whrXCSS0iiiT1NTPQ0FPipNXGxpynmFqcxFdXt7d2/nodbo5rijW4Nwr8BcuDrH9HQ2GCjuD5h/tR5VLuVC00nOXxYp9hKM5veN7ReE+yN00oMsGcTCcaX5VHcckD/FvFxQRBGF2xhn6+eCwqGGmun7TwgLQS/fpNV8a/5D6F5tXJ2+tdmv3L+ubBC1u1tWYqcFqnGxJ8vp/mwnupiRjUU5QuyVk7wcOyBd2fJezJbGGTFQlWCa/NLLwIFleQdUkiyDPVuaPaZQPvqDXOF/WajJyZ2a4+q970CXcWeTOPEeYlXkDgFtnkT7fwgBMQ==</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
            <ds:X509Certificate>MIIFcTCCBFmgAwIBAgIQc6hu9A3mqwdL/87ocNkm6jANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wgU0hBMjU2IENBIC0gRzIwHhcNMTYwMzIyMDAwMDAwWhcNMTcwMzIyMjM1OTU5WjAfMR0wGwYDVQQDDBRhdXRoLmNhdGFseXN0YXBpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYUuFzD854sBXzPl04TvoTi/wLJ8RGXY04h7pqyzYkK4jPUuk3FPIgERThBmrTEChxyq+J6YHCzjvdzmj2Fb1yQnVGJy6b5QYImk67aX4z5Fof1wsv6HBhd1wCMPh2dPi9qtMRSfI5XJkvuj+OmTdIVLF7IVA89EvgLHmDQECJ0Tx93HtRDHz3HtSOdA810I+jCNtilg+nBMT0a49Gec1M98aHOnLjMuOJKNOziPmrTozgEYVoasMPtCzeNo8nnyuEXDKp9q4fLHHl6AbuT3zxyaidGZdW7FVm+99mIN3DfuWpRmR5KW31UnoIWijks3j9LZCohEWAT3QFyrXUhigUCAwEAAaOCAn8wggJ7MB8GA1UdEQQYMBaCFGF1dGguY2F0YWx5c3RhcGkuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2dzLnN5bWNiLmNvbS9ncy5jcmwwbwYDVR0gBGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDAfBgNVHSMEGDAWgBRM9L/oO77CJPMbRzu1bkiOFquvEjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dzLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2dzLnN5bWNiLmNvbS9ncy5jcnQwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVOfuF8iAAAEAwBGMEQCIENSU7p3qQm9/Vp6IIOaa01Jd6PD58g3D80KAf9IT0f2AiAFKAkNqNARueVtTU8CeRqkEiHCDt/e95+SX0JV/EMm4AB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABU5+4XywAAAQDAEgwRgIhAPShrQkC+S1aFJbTGYiHr8kdAnnaEVzHm002HP5cav0qAiEA1tt46rdjt+qL7IkPdqR/CL0t6hcEiNojyEM/65FAlCAwDQYJKoZIhvcNAQELBQADggEBAC99MrUG3pREsM5j3/sOA1Q8wtThu+1Piu33auyQVaWO096r2TQeDCzVka1Y4czhaXvR/NZi2f/WaKn+/TrtKZL/qP2aQXbuWVLmuH6dKtNLFfgw4pF8a03qK2JBDydv6Agtj/V19Vs0fEcmYD9YusQKpcgNPEank6He10QVOUVDtAZKd94r0jEji2kE93BZK47CWJvZyh4/orFbbrs29fifmw6LGwgDZJx7SQVZwx2YceOcFnlVHOOIcX71QAP6amJRuM/NHxDtH3bF+nIsPg+ctkncPAD2mL7vRHzw0KFqGgE+kluNTbC7QkN2tiMiEvKgjOgFYHg3Gd9A1LEhyKo=</ds:X509Certificate>
        </ds:X509Data>
    </KeyInfo>
</ds:Signature>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>

【问题讨论】:

    标签: saml adfs


    【解决方案1】:

    LogoutRequest/LogoutResponse 消息交换告诉 Idp (ADFS) 它应该终止其会话。 SP 负责终止它自己的会话。这通常通过在将带有LogoutRequest 的重定向/POST 返回到浏览器的同时擦除身份验证 cookie 来完成。

    【讨论】:

    • 这实际上是一个小问题,在 saml 端点上的 ADFS 设置上,但感谢您的回复
    • @MasonSmith 你能告诉我解决这个问题的解决方案或 ADFS 设置吗?
    猜你喜欢
    • 1970-01-01
    • 2020-04-23
    • 2013-09-10
    • 1970-01-01
    • 2011-10-01
    • 1970-01-01
    • 1970-01-01
    • 2021-12-12
    • 2018-07-04
    相关资源
    最近更新 更多