Symantec Access Management

Expand all | Collapse all

Name ID is invalid in the logout request. SLO

  • 1.  Name ID is invalid in the logout request. SLO

    Posted 02-01-2018 08:51 AM
      |   view attached

    Hi, I am trying to set up partnership with CA SSO as IdP. The SSO to my SP works fine but SLO is broken, would somebody help with pinpointing this one.

    I am getting Name ID is invalid in the logout request. Issuer: SP:sp1 in smps.log.

    I am also attaching trace if it helps at all. Logout starts after LOGOFF---- line.

    Attachment(s)



  • 2.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-01-2018 08:59 AM

    Hi,

     

    I did not check the traces, but as per the error mentioned I would check if in the SLO SAMLRequest the NameID format is sent correctly, and if it is the same type as in the SP side:

     

    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">myNameID</saml2:NameID>

     

    I hope it helps!

     

    Albert



  • 3.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-01-2018 09:13 AM

    Where should I look for this peace?



  • 4.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-01-2018 09:50 AM

    Hi,

     

    In the Partnership definition, check the Assertion Configuration options for the Name ID Format

     

    Best regards,

     

    Albert



  • 5.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-02-2018 02:16 AM

    Hi, both sites are "unspecified" type.



  • 6.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-02-2018 11:45 AM

    Marek,

    For the example that Albert gave above, we assumed you have certificate setup done correctly. NameID passed by SP in any SAMLRequest must match whatever is defined in the IDP side partnership. In an SP to IdP partnership for SAML 2.0, the SSO and SLO dialog now (with R12.52SP1CR6 onwards)  includes a new field, Issuer Format, that specifies the IdP to identify itself in the assertion using the format selected for the Issuer. A CA Single Sign-On SP assumes that the IdP uses the entity identifier format by default when it returns the assertion.See this ref docops product guide:

     

    Federation Changed Features - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    - Rgds, Vijay



  • 7.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-06-2018 01:47 AM
    Hi, my IdP is CA Single Sign-On SP, and SP is some java handcrafted thing. So on my site CA SSO, I have local IdP, remote SP, and partnership local IdP to remote SP.
    Indeed there is Issuer Format when setting up SP to IdP. But not on IdP to SP that I am trying to set up.


  • 8.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-06-2018 05:35 AM

    I will just add that there is "to meny redirects error" when using HTTP-REDIRECT or post loop when using HTTP-POST on SLO Service URLs - Local IdptoSp partnership settings.

    I have inserted http://sp1.examplesp.com:8989/webapp/logout.jsp as Location URL. This is my remote SP, perhaps this is wrong? Should I put there http://host.example.com:88/affwebservices/public/saml2slo - my local siteminder IdP ?

     



  • 9.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-06-2018 01:48 PM

    Marek, Yes. See below from Federation Web Services URLs Used by the Product - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation :

    Single Logout Service URL at the IdP (SAML 2.0)

    This service implements single logout for SAML 2.0.

    Default URL for this Service
    http://idp_server:port/affwebservices/public/saml2slo

     

    Rgds, Vijay



  • 10.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-06-2018 09:57 PM

    HI, I am confused:

    https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/using/administrative-ui-help/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp

     

    SSO and SLO Dialog (SAML 2.0 IdP) / 

    SLO (SAML 2.0 IdP) / SLO Service URLs

    If your federation system is at the remote SP, use the following URLs:
    HTTP-Redirect binding: http://
    sp_host:port/affwebservices/public/saml2slo
    HTTP-POST binding: http://sp_host:port/affwebservices/public/saml2slo



  • 11.  Re: Name ID is invalid in the logout request. SLO

    Posted 02-07-2018 02:08 AM

    Hi, and when I do add "http://idp_server:port/affwebservices/public/saml2slo" as SLO Service URLs / Location URL

    I am getting:

    "An error occurred during the logout process. Please close your browser."

    In user browser.