Layer 7 Access Management

Tech Tip : CA Single Sign-On : Partial SLO - Federation with SalesForce as SP

  • 1.  Tech Tip : CA Single Sign-On : Partial SLO - Federation with SalesForce as SP

    Posted 05-09-2019 04:54 AM

    Issue:


    We're running Federation Services in Web Agent Option Pack and when
    the user "myuser@mydomain.com" tries to logout at SP side, the
    Federation Service returns message :

     

    urn:oasis:names:tc:SAML:2.0:status:PartialLogout

     

    How can we fix that ?

     

    Cause:

     

    The Policy server notes that there's a problem with the NameID from
    the SLO SAMLRequest :

     

    smtracedefault.log

     

    [04/14/2019][09:47:59][140166165415680][09:47:59.033][1585b3fd-22baa45
    e-eceba4c1-2beb871b-394b5781-c70e][SAMLSingleLogoutInputMessage.java][
    verify][][][][][][][][][][][][][][Verify
    tunnel status: status=10&message=Name ID is invalid in the logout
    request. Issuer: SP:https://mysp.myspdomain.com
    Session ID: 8UE3XMUCUtdasdas44smH0XJr79v+g=]

     

    [04/14/2019][09:47:59][140166165415680][09:47:59.039][1585b3fd-22baa45
    e-eceba4c1-2beb871b-394b5781-c70e][SAMLSingleLogoutOutputMessage.java]
    [marshal][][][][][][][][][][][][][][
    Output Message: <LogoutResponse
    Destination="https://myidp.myidpdomain.com/sp/saml2/logout"

    [...]

    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">myidp</ns1:
    Issuer><Status><StatusCode
    Value="urn:oasis:names:tc:SAML:2.0:status:Success"><StatusCode
    Value="urn:oasis:names:tc:SAML:2.0:status:PartialLogout"/></StatusCode
    ></Status>

     

    And the Federation Services shows a SLO SAMLRequest which has an email
    address for the NameID value, and the format isn't specified.

     

    FWSTrace.log

     

    [04/14/2019][06:47:59][640][139882303522560][15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java][doPostImpl][SAML
    message received=

     

    [04/14/2019][06:47:59][640][139882303522560]
    [15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
    [doPostImpl][SAML message received=<?xml version="1.0"
    encoding="UTF-8"?><samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    Destination="https://myidp.myidpdomain.com/affwebservices/public/saml2slo"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mysp.myspdomain.com</saml:Issuer>

    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    myuser@mydomain.com
    </saml:NameID>

    <samlp:SessionIndex>8UE3XMUCUtnzQEdasdqwd44441+g=q0oVJg==
    </samlp:SessionIndex></samlp:LogoutRequest]

     

    [04/14/2019][06:47:59][640][139882303522560]
    [15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SAMLTunnelClient.java]
    [callSingleLogout][Tunnel result code: 1.]

     

    [04/14/2019][06:47:59][640][139882303522560]
    [15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
    [handleLogout][ TUNNEL STATUS:
    status : 10
    message : Name ID is invalid in the logout request. Issuer:
    SP:https://mysp.myspdomain.com Session ID: 8UE3XMUCdasddwdds4444EbtmH0XJr79v+g=]

     

    [04/14/2019][06:47:59][640][139882303522560]
    [15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
    [sendLogoutMessageUsingPost][SLO Single Logout Service sending SAML SAMLResponse:

    <LogoutResponse

    [...]

    Value="urn:oasis:names:tc:SAML:2.0:status:Success"><StatusCode
    Value="urn:oasis:names:tc:SAML:2.0:status:PartialLogout"/></StatusCode></Status>
    </LogoutResponse>]

     

    According to OASIS documentation, the format for the e-mail address
    should be specified.

     

    saml-core-2.0-os

     

    8.3.2 Email Address
    URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as
    defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the form local-part@domain. Note
    that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded
    in parentheses) after it, and is not surrounded by "<" and ">".

    http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

    Resolution:

     

    Configure the SP side to set the NameID format emailAddress.

    As per documentation, the SLO on the IDP relies exclusively on the 

    NameID, and it is the responsability of the SP side to send the NameID
    value the same as SP receives it from IDP in SAMLResponse after
    authentication. There's no mapping possible on the IDP side.

     

    ref.:

     

    Federation Deployment Considerations

     

    CA Single Sign-On Federation lets you configure account linking as
    part of the partnership configuration process. You specify a NameID
    format and Name ID type, which determines the type of value that
    defines the Name. You associate the specific Name ID type, with a
    static, user, or DN attribute from a user directory. The NameID that
    CA Single Sign-On Federation includes in the assertion conforms to the
    configuration you define.

     

    When the relying party receives the assertion, the user disambiguation
    process at BankLtd occurs. The process links the NameID value in the
    assertion to a record in its user store.

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-federation-in-your-enterprise/federation-deployment-considerations

     

    5.3 Single Logout Profile

     

    The SP sp1.example.com destroys the local authentication session state
    for the user and then sends the idp.example.org identity provider a
    SAML <LogoutRequest> message requesting that the user's session be
    logged out. The request identifies the principal to be logged out
    using a <NameID> element, as well as providing a <SessionIndex>
    element to uniquely identify the session being closed. The
    <LogoutRequest> message is digitally signed and then transmitted using
    the HTTP Redirect binding. The identity provider verifies that the
    <LogoutRequest> originated from a known and trusted service
    provider. The identity provider processes the request and destroys any
    local session information for the user.

     

    The identity provider returns a <LogoutResponse> message containing a
    suitable status code response to the original requesting service
    provider, sp1.example.com. The response is digitally signed and
    returned (in this case) using the HTTP Redirect binding.

     

    http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline


    Additional Information:

     

    Set SAML Response Status Code Assertion

     

    urn:oasis:names:tc:SAML:2.0:status:PartialLogout

     

    https://docops.ca.com/ca-api-gateway/8-3/en/policy-assertions/assertion-palette/message-validation-transformation-assertions/set-saml-response-status-code-assertion

     

    3.1.4.7.2 Element <StatusCode>

     

    urn:oasis:names:tc:SAML:2.0:status:PartialLogout

    Used by a session authority to indicate to a session participant that
    it was not able to propagate the logout request to all other session
    participants.

     

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samlpr/96b92662-9bf7-4910-ab16-e1c28bce962b

     

    KB : KB000131959