ADFS返回注销响应,状态代码为"urn:oasis:names:tc:SAML:2.0:status:Requester"

mor*_*ran 3 c# adfs http-post saml-2.0 asp.net-mvc-4

我正在向ADFS发送saml 2.0注销请求并获取注销响应,状态代码为:"urn:oasis:names:tc:SAML:2.0:status:Requester".

我检查了Name ID值,它等于Assertion上的名称ID.我没有看到ADFS日志有任何错误.

这是我的退出请求:

<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" Destination="https://IDP_adfs.xxx.com/adfs/ls/" ID="id007471cfceb449239be1a6a48d28ae89" IssueInstant="2015-01-05T15:30:56.3978094Z">
<saml:Issuer>https://SP.xxx.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <Reference URI="#id007471cfceb449239be1a6a48d28ae89">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>GsF...t/uwM=</DigestValue>
  </Reference>
</SignedInfo>
<SignatureValue>qY5RIT/eT9Tgkg7dj...IPn/2STu7iepIQ==</SignatureValue>
<KeyInfo>
  <X509Data>
    <X509Certificate>MIIC5jCCAc...qAdOYsuKUgO9WNers=</X509Certificate>
  </X509Data>
</KeyInfo>
</Signature>
<saml:NameID Format="http://schemas.xmlsoap.org/claims/UPN">user@xxx.com</saml:NameID>
<samlp:SessionIndex>_48b8991b-d3c4-4f8a-9c8b-a86e0a718c95</samlp:SessionIndex>
</samlp:LogoutRequest>
Run Code Online (Sandbox Code Playgroud)

这是我的退出响应:

<?xml version="1.0"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_79573c99-c8d3-4ea3-8b53-e15551128318" Version="2.0" IssueInstant="2015-01-05T15:31:02.954Z" Destination="https://SP.xxx.com/Account/logout/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id007471cfceb449239be1a6a48d28ae89">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#_79573c99-c8d3-4ea3-8b53-e15551128318">
    <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>B/badvPpTrEuKZsqOvBQM54CIJ8=</ds:DigestValue>
  </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cWIEl5wY3...lIiQDltacRcjxyw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <ds:X509Data>
    <ds:X509Certificate>MIIC2jCCAcKgAwIBA...LmlI6oFWC3Lw=</ds:X509Certificate>
  </ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
</samlp:Status>
</samlp:LogoutResponse>
Run Code Online (Sandbox Code Playgroud)

这是我对saml的回应:

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8b594b16-6505-4da6-9f4c-0d0d301bedb1" Version="2.0" IssueInstant="2015-01-05T14:25:40.241Z" Destination="https://SP.xxx.com/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d6df6a72-99de-4935-8153-0db0d6f4b3f6" IssueInstant="2015-01-05T14:25:40.241Z" Version="2.0">
<Issuer>http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>LUFxx...MY8=</ds:DigestValue>
    </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>svLLi2ooLayZCvYCrZlDnLJAt2K7SzUcNSPS7m1Qlb1UUXZWoznd5gqusXRRrGazx6AVdnpcLgI6LVZ7xirOUBGpFxNZO7q/0zkyvzY7/lwhO4RTqtTHL2QlJTwapalWXZ9FCw0kTbmLgwgZaaqRUee5hE1kpDrIpusJXU9L9Abc/UBLZhAcstTaXDVUvCF/FH2dz2Kv9P07pV5Kcy0RvQWeJ5IkDZHefDYNsm+9Y+2V3kuPC4Ry54/7cxWc2DvDcYaKxht88/J2MA2kOqzF60Ty2Ka1hy1GpCviVO8X+SfWtgOpGcjj0NxJGSwqIcgF5PGXYfgR5sLF66xaY1t+9w==</ds:SignatureValue>
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
      <ds:X509Certificate>MIIC2jCCAcKgA...lI6oFWC3Lw=</ds:X509Certificate>
    </ds:X509Data>
  </KeyInfo>
</ds:Signature>
<Subject>
  <NameID Format="http://schemas.xmlsoap.org/claims/UPN">user@xxx.com</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52" NotOnOrAfter="2015-01-05T14:30:40.241Z" Recipient="https://SP.xxx.com/"/>
  </SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-01-05T14:25:40.241Z" NotOnOrAfter="2015-01-05T15:25:40.241Z">
  <AudienceRestriction>
    <Audience>https://SP.xxx.com</Audience>
  </AudienceRestriction>
</Conditions>
<AttributeStatement>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
    <AttributeValue>user@xxx.com</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>user@xxx.com</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
    <AttributeValue>User User</AttributeValue>
  </Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-01-05T14:25:40.225Z" SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
  <AuthnContext>
    <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
  </AuthnContext>
</AuthnStatement>
</Assertion>
 </samlp:Response>
Run Code Online (Sandbox Code Playgroud)

我正在使用HTTP-POST绑定发送注销请求并获得注销响应.根据"urn:oasis:names:tc:SAML:2.0:status:Requester"状态代码,我的注销请求存在问题,但遗憾的是我找不到它.

pau*_*lem 5

urn:oasis:names:tc:SAML:2.0:status:Requester意味着ADFS不"喜欢"请求并归咎于请求的来源.正如Hans Z指出的那样,ADFS日志和跟踪文件中应该有一些东西.如果没有消息,请检查您的ADFS修补程序和修补程序级别.

现在上面的消息中的问题.对于注销,必须有两个正确的标识:NameID和SessionIndex.虽然你似乎编辑了XML,这使得我写的任何东西都是推测性的......问题可能是SessionIndex.

在断言中:AuthnStatement@SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6"在LogoutRequest-SessionIndex中有值_48b8991b-d3c4-4f8a-9c8b-a86e0a718c95

我没有看过其他可能的错误,因为您似乎已经编辑了XML.由于这个原因,验证解析器会拒绝它,从而错过其他可能的问题.