'SAML2Logout' Relying party configuration availability

Question

'SAML2Logout' Relying party configuration availability

mzico opened this issue 5 years ago · comments

I think it's worthy to add 'SAML2Logout' RP config in v3. A screencast shared on how Logout is behaving in 3.1.4 + Shibboleth SP: https://youtu.be/u7pRM1NtKOg

Shibboleth SAML2Logout Configuration doc: https://wiki.shibboleth.net/confluence/display/IDP30/SAML2LogoutConfiguration

When I am initiating a combined logout ( SP logout url + IdP logout ) from SP, this is what coming in idp-process.log:

2018-12-26 01:33:31,089 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:99] - Decoded RelayState: null
2018-12-26 01:33:31,090 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:131] - Base64 decoding and inflating SAML message
2018-12-26 01:33:31,091 - DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder:114] - Decoded SAML message
2018-12-26 01:33:31,092 - DEBUG [PROTOCOL_MESSAGE:127] - 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutRequest
    Destination="https://test314.gluu.org/idp/profile/SAML2/Redirect/SLO"
    ID="_074669f320c6ce76781c182648811181"
    IssueInstant="2018-12-26T09:33:30Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp1.gluu.org/shibboleth</saml:Issuer>
    <samlp:Extensions>
        <aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"/>
    </samlp:Extensions>
    <saml2:NameID
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        NameQualifier="https://test314.gluu.org/idp/shibboleth"
        SPNameQualifier="https://sp1.gluu.org/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">AAdzZWNyZXQxhzJwz9VbTiaAWIoKtujpAHQfR1cS6G2HDcZLzUOleVl0/3MYUwVpiEsTDTDUSFo9+BZMVGJRknAqmwkeT9KqyHrvVOiLCgS+D7uBPS4FDgrSfbeElpnxggpWyQcQf8EEoOsH</saml2:NameID>
    <samlp:SessionIndex>_ab7969aed5d79d88735956c5af9fd7ce</samlp:SessionIndex>
</samlp:LogoutRequest>

2018-12-26 01:33:31,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context
2018-12-26 01:33:31,094 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,108 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context
2018-12-26 01:33:31,109 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,110 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context
2018-12-26 01:33:31,110 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,114 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context
2018-12-26 01:33:31,114 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,114 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver:162] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Resolved 1 candidates via EntityIdCriterion: EntityIdCriterion [id=https://sp1.gluu.org/shibboleth]
2018-12-26 01:33:31,114 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:590] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Attempting to filter candidate EntityDescriptors via resolved Predicates
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:612] - Metadata Resolver FilesystemMetadataResolver SiteSP1: After predicate filtering 1 EntityDescriptors remain
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:264] - Resolved 1 source EntityDescriptors
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:275] - Resolved 1 RoleDescriptor candidates via role criteria, performing predicate filtering
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:376] - Attempting to filter candidate RoleDescriptors via resolved Predicates
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:398] - After predicate filtering 1 RoleDescriptors remain
2018-12-26 01:33:31,115 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:144] - Message Handler:  org.opensaml.saml.common.messaging.context.SAMLMetadataContext added to MessageContext as child of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext
2018-12-26 01:33:31,116 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2018-12-26 01:33:31,116 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.LogoutRequestImpl'
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:130] - Message Handler:  Selecting default AttributeConsumingService, if any
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:186] - Resolving AttributeConsumingService candidates from SPSSODescriptor
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.metadata.support.AttributeConsumingServiceSelector:141] - AttributeConsumingService candidate list was empty, can not select service
2018-12-26 01:33:31,124 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:138] - Message Handler:  No AttributeConsumingService selected
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://sp1.gluu.org/shibboleth
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration EntityNames[https://sp1.gluu.org/shibboleth,] is applicable
2018-12-26 01:33:31,125 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:307] - Relying party configuration EntityNames[https://sp1.gluu.org/shibboleth,] is applicable
2018-12-26 01:33:31,126 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration EntityNames[https://sp1.gluu.org/shibboleth,] for request
2018-12-26 01:33:31,128 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/logout is not available for RP configuration EntityNames[https://sp1.gluu.org/shibboleth,] (RPID https://sp1.gluu.org/shibboleth)
2018-12-26 01:33:31,156 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration
2018-12-26 01:33:31,157 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally

Yuriy Movchan commented 5 years ago

Fixed

Yuriy Movchan · Answer 1 · Thu Jan 03 2019 23:34:24 GMT+0800 (China Standard Time)

This should work in new 3.1.5 build