使用 ADFS IdP 进行单点注销的正确 LogoutRequest

Question

我成功使用 OneLogin java-saml 库进行 SAML SSO。但 Active Directory 联合身份验证服务 (ADFS) 的 SLO（单点注销）存在问题。该库创建的 LogoutRequest 被 ADFS 拒绝，但被 SimpleSAMLphp IdP 接受。我在创建 LogoutRequest 时通过了这两者nameId，并sessionIndex在响应中从 ADFS 接收到了这些信息。

以下是生成的请求和收到的响应：

验证请求：

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" Version="2.0" IssueInstant="2017-05-31T15:43:07Z" ProviderName="My Company Service Provider" Destination="https://wintest.mycompany.test/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost:8443/builder/login_check_sso">
   <saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
   <samlp:RequestedAuthnContext Comparison="exact">
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

回复：

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/builder/login_check_sso" ID="_f5ea3a59-92f9-4b22-aaf0-36ed392df051" InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
      <Issuer>http://wintest.mycompany.test/adfs/services/trust</Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>FNwbMonYZBBvTXSRbCWP7WxZgPZPSCcCFZozok9eRK4=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>fG1SIq3azZfBFQ+5YBBruuCQ03sLIHJ/YpK/AAOYkyJKXEZ5+SvNLgl+8/3a6Tk8mabZmwmawoJRf5UPb+fNtk+CeeWJ7kiUYcb2uvB4ic7Qd4qB+OgfqK0qVCkn9FWGEODLXA6v4tXWBZfSnzDrHEg7xLHrngesSnffY3uyQvH/rm4G2Vjd59LUeUtpJo2X5ZjVuk4sT5r21+UxpNU9LX8z7hXAZHhD1o4d2dqAs21tAGoid3p0RgNDy1WWGh1WSjFLHPDh220ZIchRFKveJE3R9M9nTKtOFESQsYc6TfmhJ5+Xm/j0VY7vvdhgguyq4MKzcPFK6tBL7I8KREck/Q==</ds:SignatureValue>
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
            </ds:X509Data>
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID>hamilton1@mycompany.test</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" NotOnOrAfter="2017-05-31T15:48:10.158Z" Recipient="https://localhost:8443/builder/login_check_sso" />
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2017-05-31T15:43:10.158Z" NotOnOrAfter="2017-05-31T16:43:10.158Z">
         <AudienceRestriction>
            <Audience>http://localhost:4568/sso/saml/metadata</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <AttributeValue>hamilton@mycompany.com</AttributeValue>
         </Attribute>
      </AttributeStatement>
      <AuthnStatement AuthnInstant="2017-05-31T12:18:50.194Z" SessionIndex="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
         <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>

注销请求：

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
   <saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
   <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">hamilton1@mycompany.test</saml:NameID>
   <samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>

注销响应：

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_1b3e8c81-2aba-45be-8fe6-54edda514d51" Version="2.0" IssueInstant="2017-05-31T15:43:24.808Z" Destination="https://localhost:8443/builder/logout_sso" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#_1b3e8c81-2aba-45be-8fe6-54edda514d51">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>NDfLVWPkh2/UCEbLQ6V97OK2u4pajv3aLB9cPs5JkSc=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>M1JaIz/AeJAh1bUzAUBrljch9EVOVA6K3lzuFDWwF0LtmXgcMEZV9Htp9owq5MNcOZ/mymBrKmndz1EDwDxwOCLjpvp5QX42G23dUCyYAGfQXE1Dzub7dsaTSlMWnkbh6fMLk/j5/fcLEi8vwXMInQv6isVpxnbYI+4ayQWOzo9QpfJBaromDDqVwbmkoT8lhRo06n32OAi8CtaAS2rjNqJyPfcnLp3jMpfg5Qh3wiKYnT6VkMpXw5ddVASByKlqzIRiuItwJsqF4JDDj+f2qgSdq6PaTgYpu8xnbFXTdOvDeg0ZgetQrnaZ07+5xLFLGI73feAWPUFPXwMHQ2THXA==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
            <ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
         </ds:X509Data>
      </KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
   </samlp:Status>
</samlp:LogoutResponse>

ADFS 上出现的错误是：The SAML Single Logout request does not correspond to the logged-in session participant.带有额外的错误描述：

User Action 
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.

应该修改 LogoutRequest 中的哪些内容才能实现注销？

Answer 1

好的，问题解决了。

正如您在 SAML 响应中看到的，我发布的NameID元素没有Format属性：

<Subject>
     <NameID>hamilton1@mycompany.test</NameID>
     ...
</Subject>

因此 ADFS 预计 Format 属性也将不存在LogouRequest。以下 LogoutRequests 会导致成功注销：

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
   <saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
   <saml:NameID>hamilton1@mycompany.test</saml:NameID>
   <samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>

如果我更改声明发布策略以使用以下规则将名称 ID 映射到 ADFS 中的电子邮件地址：

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

我收到以下 SAML 响应：

<Subject>
     <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">hamilton1@mycompany.test</NameID>
     ...
</Subject>

LogutRequest注销后发送<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">成功：

我正在使用版本 2.0.1 的 java-saml，所以我在 Java 中执行以下操作，因为LogoutRequest没有接受的构造函数nameIdFormat： https: //github.com/onelogin/java-saml/blob/v2.0.1 /core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java：

LogoutRequest logoutRequest = new LogoutRequest(settings, null, nameId, sessionIndex);
String samlRequestXml = logoutRequest.getLogoutRequestXml();
samlRequestXml = samlRequestXml.replaceAll(" Format=\".+\"", "");

计划添加LogoutRequest构造函数接受nameIdFormat作为参数。更多详细信息请参见https://github.com/onelogin/java-saml/issues/98。