Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LogoutRequest NameID Format is Required? #220

Open
gcabrerap opened this issue Dec 22, 2020 · 1 comment
Open

LogoutRequest NameID Format is Required? #220

gcabrerap opened this issue Dec 22, 2020 · 1 comment

Comments

@gcabrerap
Copy link

Hello guys,

We were doing an integration with ADFS, in the Logout section this could not end the session, reviewing the ADFS logs we found the following error:

Error message: MSIS7082: Unsolicited SAML logout response received.

Upon reviewing, we found that the "create_logout_request" function sends NameID as follows:

  xml = xmlbuilder.create({
    'samlp:LogoutRequest': {
      '@xmlns:samlp': XMLNS.SAMLP,
      '@xmlns:saml': XMLNS.SAML,
      '@ID': id,
      '@Version': '2.0',
      '@IssueInstant': (new Date()).toISOString(),
      '@Destination': destination,
      'saml:Issuer': issuer,
      'saml:NameID': name_id,
      'samlp:SessionIndex': session_index
    }
  }).end();

We make a change and the logout is completely completed:

  xml = xmlbuilder.create({
    'samlp:LogoutRequest': {
      '@xmlns:samlp': XMLNS.SAMLP,
      '@xmlns:saml': XMLNS.SAML,
      '@ID': id,
      '@Version': '2.0',
      '@IssueInstant': (new Date()).toISOString(),
      '@Destination': destination,
      'saml:Issuer': issuer,
      'saml:NameID':  {
        '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
        '#text': name_id,
      },
      'samlp:SessionIndex': session_index
    }
  }).end();

Could it be reviewed by you to add it in a next version?

Thanks...
@mcab
Copy link
Member

mcab commented Feb 4, 2021

create_logout_request is called only by create_logout_request_url, which lets you specify options.name_id to set this value:

saml2/lib/saml2.coffee

Lines 677 to 680 in bd15dc9

create_logout_request_url: (identity_provider, options, cb) =>
identity_provider = { sso_logout_url: identity_provider, options: {} } if _.isString(identity_provider)
options = set_option_defaults options, identity_provider.shared_options, @shared_options
{id, xml} = create_logout_request @entity_id, options.name_id, options.session_index, identity_provider.sso_logout_url

saml2/lib/saml2.coffee

Lines 91 to 106 in bd15dc9

create_logout_request = (issuer, name_id, session_index, destination) ->
id = '_' + crypto.randomBytes( 21 ).toString( 'hex' )
xml = xmlbuilder.create
'samlp:LogoutRequest':
'@xmlns:samlp': XMLNS.SAMLP
'@xmlns:saml': XMLNS.SAML
'@ID': id
'@Version': '2.0'
'@IssueInstant': (new Date()).toISOString()
'@Destination': destination
'saml:Issuer': issuer
'saml:NameID': name_id
'samlp:SessionIndex': session_index
.end()
{id, xml}

Is it possible to just define the format you want for the name_id there?

// From the example, not guaranteed to work:
app.get("/logout", function(req, res) {
  var options = {
    name_id: {
        "@Format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
        "#text": user_session_name_id // somehow pulled from the user's session
    },
    session_index: session_index
  };

  sp.create_logout_request_url(idp, options, function(err, logout_url) {
    if (err != null)
      return res.send(500);
    res.redirect(logout_url);
  });
});

@mcab mcab self-assigned this Feb 4, 2021
@enterstudio enterstudio mentioned this issue Mar 16, 2021
Open
@mcab mcab removed their assignment Oct 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcab @gcabrerap