Issue:
We're running Federation Services in Web Agent Option Pack and when
the user "myuser@mydomain.com" tries to logout at SP side, the
Federation Service returns message :
urn:oasis:names:tc:SAML:2.0:status:PartialLogout
How can we fix that ?
Cause:
The Policy server notes that there's a problem with the NameID from
the SLO SAMLRequest :
smtracedefault.log
[04/14/2019][09:47:59][140166165415680][09:47:59.033][1585b3fd-22baa45
e-eceba4c1-2beb871b-394b5781-c70e][SAMLSingleLogoutInputMessage.java][
verify][][][][][][][][][][][][][][Verify
tunnel status: status=10&message=Name ID is invalid in the logout
request. Issuer: SP:https://mysp.myspdomain.com
Session ID: 8UE3XMUCUtdasdas44smH0XJr79v+g=]
[04/14/2019][09:47:59][140166165415680][09:47:59.039][1585b3fd-22baa45
e-eceba4c1-2beb871b-394b5781-c70e][SAMLSingleLogoutOutputMessage.java]
[marshal][][][][][][][][][][][][][][
Output Message: <LogoutResponse
Destination="https://myidp.myidpdomain.com/sp/saml2/logout"
[...]
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">myidp</ns1:
Issuer><Status><StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"><StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:PartialLogout"/></StatusCode
></Status>
And the Federation Services shows a SLO SAMLRequest which has an email
address for the NameID value, and the format isn't specified.
FWSTrace.log
[04/14/2019][06:47:59][640][139882303522560][15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java][doPostImpl][SAML
message received=
[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
[doPostImpl][SAML message received=<?xml version="1.0"
encoding="UTF-8"?><samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://myidp.myidpdomain.com/affwebservices/public/saml2slo"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mysp.myspdomain.com</saml:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
myuser@mydomain.com
</saml:NameID>
<samlp:SessionIndex>8UE3XMUCUtnzQEdasdqwd44441+g=q0oVJg==
</samlp:SessionIndex></samlp:LogoutRequest]
[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SAMLTunnelClient.java]
[callSingleLogout][Tunnel result code: 1.]
[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
[handleLogout][ TUNNEL STATUS:
status : 10
message : Name ID is invalid in the logout request. Issuer:
SP:https://mysp.myspdomain.com Session ID: 8UE3XMUCdasddwdds4444EbtmH0XJr79v+g=]
[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
[sendLogoutMessageUsingPost][SLO Single Logout Service sending SAML SAMLResponse:
<LogoutResponse
[...]
Value="urn:oasis:names:tc:SAML:2.0:status:Success"><StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:PartialLogout"/></StatusCode></Status>
</LogoutResponse>]
According to OASIS documentation, the format for the e-mail address
should be specified.
saml-core-2.0-os
8.3.2 Email Address
URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as
defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the form local-part@domain. Note
that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded
in parentheses) after it, and is not surrounded by "<" and ">".
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Resolution:
Configure the SP side to set the NameID format emailAddress.
As per documentation, the SLO on the IDP relies exclusively on the
NameID, and it is the responsability of the SP side to send the NameID
value the same as SP receives it from IDP in SAMLResponse after
authentication. There's no mapping possible on the IDP side.
ref.:
Federation Deployment Considerations
CA Single Sign-On Federation lets you configure account linking as
part of the partnership configuration process. You specify a NameID
format and Name ID type, which determines the type of value that
defines the Name. You associate the specific Name ID type, with a
static, user, or DN attribute from a user directory. The NameID that
CA Single Sign-On Federation includes in the assertion conforms to the
configuration you define.
When the relying party receives the assertion, the user disambiguation
process at BankLtd occurs. The process links the NameID value in the
assertion to a record in its user store.
https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-federation-in-your-enterprise/federation-deployment-considerations
5.3 Single Logout Profile
The SP sp1.example.com destroys the local authentication session state
for the user and then sends the idp.example.org identity provider a
SAML <LogoutRequest> message requesting that the user's session be
logged out. The request identifies the principal to be logged out
using a <NameID> element, as well as providing a <SessionIndex>
element to uniquely identify the session being closed. The
<LogoutRequest> message is digitally signed and then transmitted using
the HTTP Redirect binding. The identity provider verifies that the
<LogoutRequest> originated from a known and trusted service
provider. The identity provider processes the request and destroys any
local session information for the user.
The identity provider returns a <LogoutResponse> message containing a
suitable status code response to the original requesting service
provider, sp1.example.com. The response is digitally signed and
returned (in this case) using the HTTP Redirect binding.
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline
Additional Information:
Set SAML Response Status Code Assertion
urn:oasis:names:tc:SAML:2.0:status:PartialLogout
https://docops.ca.com/ca-api-gateway/8-3/en/policy-assertions/assertion-palette/message-validation-transformation-assertions/set-saml-response-status-code-assertion
3.1.4.7.2 Element <StatusCode>
urn:oasis:names:tc:SAML:2.0:status:PartialLogout
Used by a session authority to indicate to a session participant that
it was not able to propagate the logout request to all other session
participants.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samlpr/96b92662-9bf7-4910-ab16-e1c28bce962b
KB : KB000131959