ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Partial SLO - Federation with SalesForce as SP


Article ID: 131959


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We're running Federation Services in Web Agent Option Pack and when
the user "[email protected]" tries to logout at SP side, the
Federation Service returns message :


How can we fix that ?


The Policy server notes that there's a problem with the NameID from 
the SLO SAMLRequest : 


tunnel status: status=10&message=Name ID is invalid in the logout 
request. Issuer: SP: 
Session ID: 8UE3XMUCUtdasdas44smH0XJr79v+g=] 

Output Message: <LogoutResponse 


<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">myidp</ns1: 

And the Federation Services shows a SLO SAMLRequest which has an email 
address for the NameID value, and the format isn't specified. 


message received= 

[doPostImpl][SAML message received=<?xml version="1.0" 

<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
[email protected]


[callSingleLogout][Tunnel result code: 1.]

[handleLogout][ TUNNEL STATUS: 
status : 10 
message : Name ID is invalid in the logout request. Issuer: 
SP: Session ID: 8UE3XMUCdasddwdds4444EbtmH0XJr79v+g=] 

[sendLogoutMessageUsingPost][SLO Single Logout Service sending SAML SAMLResponse:




According to OASIS documentation, the format for the e-mail address
should be specified.


  8.3.2 Email Address 
  URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 
  Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as 
  defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the form [email protected] Note 
  that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded 
  in parentheses) after it, and is not surrounded by "<" and ">". 


Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


Configure the SP side to set the NameID format emailAddress.

As per documentation, the SLO on the IDP relies exclusively on the 
NameID, and it is the responsability of the SP side to send the NameID 
value the same as SP receives it from IDP in SAMLResponse after 
authentication. There's no mapping possible on the IDP side. 


Federation Deployment Considerations 

CA Single Sign-On Federation lets you configure account linking as 
part of the partnership configuration process. You specify a NameID 
format and Name ID type, which determines the type of value that 
defines the Name. You associate the specific Name ID type, with a 
static, user, or DN attribute from a user directory. The NameID that 
CA Single Sign-On Federation includes in the assertion conforms to the 
configuration you define. 

When the relying party receives the assertion, the user disambiguation 
process at BankLtd occurs. The process links the NameID value in the 
assertion to a record in its user store. 

5.3 Single Logout Profile 

The SP destroys the local authentication session state 
for the user and then sends the identity provider a 
SAML <LogoutRequest> message requesting that the user's session be 
logged out. The request identifies the principal to be logged out 
using a <NameID> element, as well as providing a <SessionIndex> 
element to uniquely identify the session being closed. The 
<LogoutRequest> message is digitally signed and then transmitted using 
the HTTP Redirect binding. The identity provider verifies that the 
<LogoutRequest> originated from a known and trusted service 
provider. The identity provider processes the request and destroys any 
local session information for the user. 

The identity provider returns a <LogoutResponse> message containing a 
suitable status code response to the original requesting service 
provider, The response is digitally signed and 
returned (in this case) using the HTTP Redirect binding.|outline 

Additional Information

Set SAML Response Status Code Assertion 

urn:oasis:names:tc:SAML:2.0:status:PartialLogout Element <StatusCode> 


Used by a session authority to indicate to a session participant that 
it was not able to propagate the logout request to all other session