Partial SLO - Federation with SalesForce as SP

book

Article ID: 131959

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running Federation Services in Web Agent Option Pack and when
the user "[email protected]" tries to logout at SP side, the
Federation Service returns message :

  urn:oasis:names:tc:SAML:2.0:status:PartialLogout

How can we fix that ?

Cause

The Policy server notes that there's a problem with the NameID from 
the SLO SAMLRequest : 

smtracedefault.log 

[04/14/2019][09:47:59][140166165415680][09:47:59.033][1585b3fd-22baa45 
e-eceba4c1-2beb871b-394b5781-c70e][SAMLSingleLogoutInputMessage.java][ 
verify][][][][][][][][][][][][][][Verify 
tunnel status: status=10&message=Name ID is invalid in the logout 
request. Issuer: SP:https://mysp.myspdomain.com 
Session ID: 8UE3XMUCUtdasdas44smH0XJr79v+g=] 

[04/14/2019][09:47:59][140166165415680][09:47:59.039][1585b3fd-22baa45 
e-eceba4c1-2beb871b-394b5781-c70e][SAMLSingleLogoutOutputMessage.java] 
[marshal][][][][][][][][][][][][][][ 
Output Message: <LogoutResponse 
Destination="https://myidp.myidpdomain.com/sp/saml2/logout" 

[...]

<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">myidp</ns1: 
Issuer><Status><StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success"><StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:PartialLogout"/></StatusCode 
></Status>

And the Federation Services shows a SLO SAMLRequest which has an email 
address for the NameID value, and the format isn't specified. 

FWSTrace.log 

[04/14/2019][06:47:59][640][139882303522560][15ce7aef-27e7cc69-b417bc4 
8-56ee7b88-294b505d-c9ea][SLOService.java][doPostImpl][SAML 
message received= 

[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
[doPostImpl][SAML message received=<?xml version="1.0" 
encoding="UTF-8"?><samlp:LogoutRequest 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
Destination="https://myidp.myidpdomain.com/affwebservices/public/saml2slo" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mysp.myspdomain.com</saml:Issuer>

<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> 
[email protected]
</saml:NameID>

<samlp:SessionIndex>8UE3XMUCUtnzQEdasdqwd44441+g=q0oVJg== 
</samlp:SessionIndex></samlp:LogoutRequest] 

[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SAMLTunnelClient.java]
[callSingleLogout][Tunnel result code: 1.]

[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
[handleLogout][ TUNNEL STATUS: 
status : 10 
message : Name ID is invalid in the logout request. Issuer: 
SP:https://mysp.myspdomain.com Session ID: 8UE3XMUCdasddwdds4444EbtmH0XJr79v+g=] 

[04/14/2019][06:47:59][640][139882303522560]
[15ce7aef-27e7cc69-b417bc48-56ee7b88-294b505d-c9ea][SLOService.java]
[sendLogoutMessageUsingPost][SLO Single Logout Service sending SAML SAMLResponse:

<LogoutResponse 

[...]

Value="urn:oasis:names:tc:SAML:2.0:status:Success"><StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:PartialLogout"/></StatusCode></Status>
</LogoutResponse>] 

According to OASIS documentation, the format for the e-mail address
should be specified.

saml-core-2.0-os 

  8.3.2 Email Address 
  URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 
  Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as 
  defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the form [email protected] Note 
  that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded 
  in parentheses) after it, and is not surrounded by "<" and ">". 

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf 
 

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

Configure the SP side to set the NameID format emailAddress.

As per documentation, the SLO on the IDP relies exclusively on the 
NameID, and it is the responsability of the SP side to send the NameID 
value the same as SP receives it from IDP in SAMLResponse after 
authentication. There's no mapping possible on the IDP side. 

ref.: 

Federation Deployment Considerations 

CA Single Sign-On Federation lets you configure account linking as 
part of the partnership configuration process. You specify a NameID 
format and Name ID type, which determines the type of value that 
defines the Name. You associate the specific Name ID type, with a 
static, user, or DN attribute from a user directory. The NameID that 
CA Single Sign-On Federation includes in the assertion conforms to the 
configuration you define. 

When the relying party receives the assertion, the user disambiguation 
process at BankLtd occurs. The process links the NameID value in the 
assertion to a record in its user store. 

https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-federation-in-your-enterprise/federation-deployment-considerations 

5.3 Single Logout Profile 

The SP sp1.example.com destroys the local authentication session state 
for the user and then sends the idp.example.org identity provider a 
SAML <LogoutRequest> message requesting that the user's session be 
logged out. The request identifies the principal to be logged out 
using a <NameID> element, as well as providing a <SessionIndex> 
element to uniquely identify the session being closed. The 
<LogoutRequest> message is digitally signed and then transmitted using 
the HTTP Redirect binding. The identity provider verifies that the 
<LogoutRequest> originated from a known and trusted service 
provider. The identity provider processes the request and destroys any 
local session information for the user. 

The identity provider returns a <LogoutResponse> message containing a 
suitable status code response to the original requesting service 
provider, sp1.example.com. The response is digitally signed and 
returned (in this case) using the HTTP Redirect binding. 

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline 

Additional Information

Set SAML Response Status Code Assertion 

urn:oasis:names:tc:SAML:2.0:status:PartialLogout 

https://docops.ca.com/ca-api-gateway/8-3/en/policy-assertions/assertion-palette/message-validation-transformation-assertions/set-saml-response-status-code-assertion 

3.1.4.7.2 Element <StatusCode> 

urn:oasis:names:tc:SAML:2.0:status:PartialLogout 

Used by a session authority to indicate to a session participant that 
it was not able to propagate the logout request to all other session 
participants. 

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samlpr/96b92662-9bf7-4910-ab16-e1c28bce962b