locked
ADFS Sign Out and 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal' RRS feed

  • Question

  • I'm receiving an infrequent sign out error of:

    MSIS0001: The status code references a top-level status code value 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal' that is not valid. Parameter name: statusCode. 

    This occurs because the relying party has a session timeout of 20 minutes but ADFS is 2 hours.  The user sits inactive on the relying party for longer than 20 minutes and then clicks sign out.  ADFS then tries to perform a federated sign out and sends a sign out request to the relying party.  Since the user no longer has an active session the RP responds with 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal'. 

    The RP is incorrectly returning 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal' as the top level status code, which is invalid according to the SAML spec.  That should be a second level status code. 

    Question: If the RP was returning a valid top level status code and 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal' as a second level status code how would ADFS react?  Would it thrown an error or just swallow that message and continue signing the user out of applications?

    Thursday, May 17, 2012 4:14 PM

Answers

  • I just tried it with a valid top-level status code (urn:oasis:names:tc:SAML:2.0:status:Responder) and it logged a different exception to the event log:

    Microsoft.IdentityServer.Web.PartialSingleSignOutException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.

    Wednesday, May 4, 2016 5:18 PM

All replies

  • I think it would depend entirely on what the 'valid' top level status code was. I'm not entirely familiar with how ADFS handles multiple levels of response codes, but if it succeeds at the top level, but fails below, it should throw an exception.

    Developer Security MVP | www.syfuhs.net

    Friday, May 18, 2012 6:04 PM
  • I just tried it with a valid top-level status code (urn:oasis:names:tc:SAML:2.0:status:Responder) and it logged a different exception to the event log:

    Microsoft.IdentityServer.Web.PartialSingleSignOutException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.

    Wednesday, May 4, 2016 5:18 PM