ADFS - logout not completing as expected

  • 545 Views
  • Last Post 17 December 2015
Tony posted this 04 December 2015

Hi all   I am working with a customer doing a PoC with accessing SAP CRM via ADFS and the Web Application Proxy.  Everything seems to be working well apart from the logout.  Basically, it looks like the authentication token is not destroyed as part of the logout.  Users can use the "back" option in their browser without having to re-authenticate.   I have been looking through the ADFS trace and it looks like this:   LogoutRequest: Id='S005056a0-0ff5-1ee5-a6c0-b87669fb3cc0' : Signature is present   LogoutRequest: Id='S005056a0-0ff5-1ee5-a6c0-b87669fb3cc0' : Message received using binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'   Processing LogoutRequest: Id='S005056a0-0ff5-1ee5-a6c0-b87669fb3cc0', Issuer='CONTOSO'   PassiveProtocolReturnUrlValidator.ApplyUrlMapping inputs:
SrcUri: https://crm.contoso.com/sap/saml2/sp/slo/300
, oldUri: https://crm.contoso.com/
newUri: https://crm.contoso.com/   PassiveProtocolReturnUrlValidator.ApplyUrlMapping: Mapping succeeded, returning https://crm.contoso.com/sap/saml2/sp/slo/300   LogoutResponse: Id='42544970-ced3-4036-8ea8-9a40b5efcae0', InResponseTo='S005056a0-0ff5-1ee5-a6c0-b87669fb3cc0', Status='urn:oasis:names:tc:SAML:2.0:status:Success' : Response created   LogoutResponse: Id='42544970-ced3-4036-8ea8-9a40b5efcae0' : Sending message to '<null>' using binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'   EXIT: PassiveProtocolListener.ProcessProtocolRequest

I am surprised to see the "<null>" highlighted above.  I would have expected to the see the url corresponding to the configured logout endpoint (dumped below):   Binding          : POST
BindingUri       : urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Index            : 0
IsDefault        : True
Location         : https://crm.contoso.com/sap/saml2/sp/acs/300
Protocol         : SAMLAssertionConsumer
ResponseLocation :   Binding          : Artifact
BindingUri       : urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
Index            : 1
IsDefault        : False
Location         : https://crm.contoso.com/sap/saml2/sp/acs/300
Protocol         : SAMLAssertionConsumer
ResponseLocation :   Binding          : POST
BindingUri       : urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Index            : 0
IsDefault        : False
Location         : https://crm.contoso.com/sap/saml2/sp/slo/300
Protocol         : SAMLLogout
ResponseLocation :   Binding          : Redirect
BindingUri       : urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Index            : 0
IsDefault        : False
Location         : https://crm.contoso.com/sap/saml2/sp/slo/300
Protocol         : SAMLLogout
ResponseLocation :   Any thoughts on what might be going on here?   Tony
 

Order By: Standard | Newest | Votes
ZJORZ posted this 04 December 2015

Are you using SQL or WID for ADFS? SQL supports token replay-detection and artifact resolution, WID does not Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

TonyFE posted this 04 December 2015



















WID. ::sigh::

 

Simple as that then?

 

Sent from Outlook Mail for Sinclair ZX81

 

show

ZJORZ posted this 04 December 2015

Unfortunately, yes sir. However…. If you want, you can go to WID (install management tools first) by backing up the DBs (config and artifact), then restoring the DBs in SQL, then change the connection strings in ADFS for the config DB (on every ADFS server) and the artifact db (on primary ADFS server only) Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

joe posted this 04 December 2015

Jorge, are you sure this is a token replay issue and not an issue with SLO simply failing to log out this RP? I can't really tell from the trace Tony provided. Tony, if you can email me a Fiddler trace I might be able to provide a more useful response.
Definitely not suggesting that WID supports token replay detection...
Tony, maybe you could also provide the details on the protocol binding endpoints for the RP in the ADFS config.
Joe K.


show

kool posted this 09 December 2015

Another thing to consider is the use of alternate Claims Trust Providers. If you are just using AD as your ADFS claims trust provider, then never mind. However,

in our case we have configured our Shibboleth IdP as a claims trust provider. This results in clients getting two auth cookies for each login, one from ADFS specific to the RP, the second from Shib that is not RP specific. SLO does not work in this case because

the Shib cookie persists (up to the configured 8 hour lifetime).

 

The general consensus is that if you really want a good logoff, close the browser so it dumps all session cookies. Unfortunately even this is unreliable as some

browsers (cough, Firefox) restore unexpired cookies on restart as a feature. The work around for that is to close all tabs before closing the browser or use a private browser session. You could also explicitly delete cookies but that has the downside of dumping

all of your site preference cookies.

 

FWIW,

 

    Eric

 

show

Tony posted this 17 December 2015

It turns out the issue was with the SAP CRM system.  It was a known issue fixed in recent SPs.  Here's the SAP Note reference (can't find a public link to it).

 



2186386 - Logon ticket is not deleted on SAMl 2.0 logoff

 



 



After applying the update it works like a charm. 

 

That's a couple of days of my life I'll never have back again &#X1f60a

 

Next step is to move the customer off WID.

 

Tony









show

ZJORZ posted this 17 December 2015

Does this link describe your issue?http://www.erpchamps.com/logon-ticket-not-deleted-saml-20-logoff/  Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

robertsingers posted this 17 December 2015

On 18 December 2015 at 09:03, Tony Murray <tony@xxxxxxxxxxxxxxxx> wrote:


show

Tony posted this 17 December 2015

Hi Jorge

 

Yup, that's the one.  Not an official SAP site by the look of it.


Tony







show

Close