Hi, I am trying to set up partnership with CA SSO as IdP. The SSO to my SP works fine but SLO is broken, would somebody help with pinpointing this one.
I am getting Name ID is invalid in the logout request. Issuer: SP:sp1 in smps.log.
I am also attaching trace if it helps at all. Logout starts after LOGOFF---- line.
I did not check the traces, but as per the error mentioned I would check if in the SLO SAMLRequest the NameID format is sent correctly, and if it is the same type as in the SP side:
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">myNameID</saml2:NameID>
I hope it helps!
Where should I look for this peace?
In the Partnership definition, check the Assertion Configuration options for the Name ID Format
Hi, both sites are "unspecified" type.
For the example that Albert gave above, we assumed you have certificate setup done correctly. NameID passed by SP in any SAMLRequest must match whatever is defined in the IDP side partnership. In an SP to IdP partnership for SAML 2.0, the SSO and SLO dialog now (with R12.52SP1CR6 onwards) includes a new field, Issuer Format, that specifies the IdP to identify itself in the assertion using the format selected for the Issuer. A CA Single Sign-On SP assumes that the IdP uses the entity identifier format by default when it returns the assertion.See this ref docops product guide:
Federation Changed Features - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
- Rgds, Vijay
I will just add that there is "to meny redirects error" when using HTTP-REDIRECT or post loop when using HTTP-POST on SLO Service URLs - Local IdptoSp partnership settings.
I have inserted http://sp1.examplesp.com:8989/webapp/logout.jsp as Location URL. This is my remote SP, perhaps this is wrong? Should I put there http://host.example.com:88/affwebservices/public/saml2slo - my local siteminder IdP ?
Marek, Yes. See below from Federation Web Services URLs Used by the Product - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation :
This service implements single logout for SAML 2.0.
Default URL for this Servicehttp://idp_server:port/affwebservices/public/saml2slo
HI, I am confused:
If your federation system is at the remote SP, use the following URLs:HTTP-Redirect binding: http://sp_host:port/affwebservices/public/saml2sloHTTP-POST binding: http://sp_host:port/affwebservices/public/saml2slo
Hi, and when I do add "http://idp_server:port/affwebservices/public/saml2slo" as SLO Service URLs / Location URL
I am getting:
"An error occurred during the logout process. Please close your browser."
In user browser.