none
Problems with invalid SessionIndex in Sign Out with SAML2 LogoutRequest

    Question

  • Hi, i'am developer and actually i try integrating (a must days) my IdP with a Office 365 using SAML 2. 

    I have had success in the first steps for Logon user, however I have a lot of doubts about Sign Out (LogoutRequest) with IdP-Initiated flow, the doubts are related a endpoints to Sign Out. For developing the Logon, i follow the endpoints and configurations present in this metadata:

    https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

    For send a LogoutRequest, the metadata inform the same url of login:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf"/>

    I create the LogoutRequest as follow data:

    <saml2p:LogoutRequest Destination="https://login.microsoftonline.com/login.srf"
                          ID="_263311dc-ce0a-21c3-90d3-2e1312cde124"
                          IssueInstant="2015-01-13T13:51:57.978Z"
                          Version="2.0"
                          xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://my-enterprise-configuration-value</saml2:Issuer>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                      SPNameQualifier="https://my-enterprise-configuration-value"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">my-configuration-name-id-in-o365</saml2:NameID>
        <samlp:SessionIndex>_session-index-generate-in-saml-response</samlp:SessionIndex>
    </saml2p:LogoutRequest>

    Ps: i so generate the same LogoutRequest with properties of Signature, but i have a same error (SessionIndex not present...).

    My biggest doubts are related to Destination, NameID Format e SPNameQualifier.

    What is the correct value of the Destination? I have seen elsewhere that I should insert the

    Destination with https://login.microsoftonline.com/common/saml2, i saw also https://login.microsoftonline.com/<tenant-azure-id>/saml2.

    So, do I still have to send my POST request to https://login.microsoftonline.com/login.srf even though my Destination app one of the above commented out? or should I send the POST to the same local location as Destination?

    The NameID Format is placing the same as the SAMLResponse uploaded (which I sent to Office 365).

    The SPNameQualifier is already using the same value set in Issuer (ImmutableID).

    Ps2: the data send in my post are:

    SAMLRequest=nVLdSsMwFH6Vkvt0TWs3F9bCYAiFKerEC29GSE9roE1qTirz2bzwkXwF025DHajgTchJvvP9nGSBom3ijq9NbXp3C089oAtWflFaOGV0Rh6d65BPJo2plQ5bJa1BUzmjG6UhlKY93KCtSFCsMrKNp0nCWCmphEjQmMmEzqMyoTGwhMWyBBafeShiD4VGJ7TLSByxlEaMsuSOJTxlPJ2F89n5AwnuweJoJA4jEuzaRiPfu85IbzU3AhVyLVpA7iTfLC/X3EN5Z40z0jQkX4xwPgrarwy/EwhEsMMMSP7++nYcg9+2LxS0A9tZhUCl0ZWqezuOiz6LpofF5KviUf/KKxSr4MLYVrifpVnIxhNV0mqEcmiFapZlaQGRBJvrgeimF42qFNjPB/rTFvlXdk/7nWtAU+9OaWqSaXoMu4+XB2Pajm+8WY8udAm7fIv7yvf4ktagwZPBQDGgqU/WGY2HwZ00BweFk1+afwA=
    SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1

    RelayState=data_sended_for_microsoft_in_login_value

    Signature=UrlEncoded(Base64Encoded(SAMLRequest))&UrlEncoded(Base64Encoded(SigAlg))

    I soo also find the location to configure Sign Out in my application in Administrative Tools, but i don't found it.

    Thanks a lot!!!


    Thursday, February 08, 2018 9:59 AM