Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Partial SLO - Federation with SalesForce as SP

  • 1.  Tech Tip : CA Single Sign-On : Partial SLO - Federation with SalesForce as SP

    Broadcom Employee
    Posted May 09, 2019 04:54 AM


    We're running Federation Services in Web Agent Option Pack and when
    the user "" tries to logout at SP side, the
    Federation Service returns message :




    How can we fix that ?




    The Policy server notes that there's a problem with the NameID from
    the SLO SAMLRequest :




    tunnel status: status=10&message=Name ID is invalid in the logout
    request. Issuer: SP:
    Session ID: 8UE3XMUCUtdasdas44smH0XJr79v+g=]


    Output Message: <LogoutResponse


    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">myidp</ns1:


    And the Federation Services shows a SLO SAMLRequest which has an email
    address for the NameID value, and the format isn't specified.




    message received=


    [doPostImpl][SAML message received=<?xml version="1.0"

    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"



    [callSingleLogout][Tunnel result code: 1.]


    [handleLogout][ TUNNEL STATUS:
    status : 10
    message : Name ID is invalid in the logout request. Issuer:
    SP: Session ID: 8UE3XMUCdasddwdds4444EbtmH0XJr79v+g=]


    [sendLogoutMessageUsingPost][SLO Single Logout Service sending SAML SAMLResponse:





    According to OASIS documentation, the format for the e-mail address
    should be specified.




    8.3.2 Email Address
    URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as
    defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the form local-part@domain. Note
    that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded
    in parentheses) after it, and is not surrounded by "<" and ">".



    Configure the SP side to set the NameID format emailAddress.

    As per documentation, the SLO on the IDP relies exclusively on the 

    NameID, and it is the responsability of the SP side to send the NameID
    value the same as SP receives it from IDP in SAMLResponse after
    authentication. There's no mapping possible on the IDP side.




    Federation Deployment Considerations


    CA Single Sign-On Federation lets you configure account linking as
    part of the partnership configuration process. You specify a NameID
    format and Name ID type, which determines the type of value that
    defines the Name. You associate the specific Name ID type, with a
    static, user, or DN attribute from a user directory. The NameID that
    CA Single Sign-On Federation includes in the assertion conforms to the
    configuration you define.


    When the relying party receives the assertion, the user disambiguation
    process at BankLtd occurs. The process links the NameID value in the
    assertion to a record in its user store.



    5.3 Single Logout Profile


    The SP destroys the local authentication session state
    for the user and then sends the identity provider a
    SAML <LogoutRequest> message requesting that the user's session be
    logged out. The request identifies the principal to be logged out
    using a <NameID> element, as well as providing a <SessionIndex>
    element to uniquely identify the session being closed. The
    <LogoutRequest> message is digitally signed and then transmitted using
    the HTTP Redirect binding. The identity provider verifies that the
    <LogoutRequest> originated from a known and trusted service
    provider. The identity provider processes the request and destroys any
    local session information for the user.


    The identity provider returns a <LogoutResponse> message containing a
    suitable status code response to the original requesting service
    provider, The response is digitally signed and
    returned (in this case) using the HTTP Redirect binding.


    Additional Information:


    Set SAML Response Status Code Assertion




  Element <StatusCode>



    Used by a session authority to indicate to a session participant that
    it was not able to propagate the logout request to all other session



    KB : KB000131959