Logout Error after SAML Config Update

By: Carl Schmitt user 14 Jul 2015 at 12:43 p.m. CDT

9 Responses
Carl Schmitt gravatar
Brief Summary: - Edit a SAML trust relationship - Enter a URL in the "SP Logout URL (optional)" field - click "Update" Everytime from now on when you click on "Logout" [though the first logout may work fine], you get the following message: {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, or is otherwise malformed."} Removing the URL / deleting the trust does nothing to resolve the issue. Full Steps to reproduce - fresh install of ubuntu-14.04.2-server-amd64 on a VM with 8gb of ram - apt-get update - apt-get upgrade - apt-get dist-upgrade - restart - echo "deb http://repo.gluu.org/ubuntu/ trusty main" > /etc/apt/sources.list.d/gluu-repo.list - curl http://repo.gluu.org/ubuntu/gluu-apt.key | apt-key add - - apt-get update - apt-get install gluu-server (for 2.3.1-1 OR apt-get install gluu-server=2.1-0 for another version) - service gluu-server start - service gluu-server login - cd /install/community-edition-setup/ - ./setup.py - The following was even tried with the wget https://github.com/GluuFederation/community-edition-setup/archive/master.zip file <pre> hostname carlgluu.test orgName The Org os ubuntu city Front Royal state VA countryCode US support email cschmitt@setonhome.org tomcat max ram 1536 Admin Pass F2wLc8UYWyHF Modify Networking True Install oxAuth True Install oxTrust True Install LDAP True Install Apache 2 web server True Install Shibboleth 2 SAML IDP True Install Asimba SAML Proxy True Install CAS False </pre> - login to https://carlgluu.test [this has been added to the local computer hosts file] - click "SAML" - click "Trust Relationships" - click "Add Relationship" - under Trust Agreement - Display Name: carlsp - Description: carlsp - Metadata Type: Generate - URL: https://carlsp.test - click "Add" - click "Logout" - Everything is fine - you can reboot / etc and login / logout all day - login to https://carlgluu.test - click "SAML" - click "Trust Relationships" - click "carlsp" - Enter https://carlsp.test in the "SP Logout URL (optional)" field - click "Update" Everytime from now on when you click on "Logout" [though the first logout may work fine], you get the following message: {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, or is otherwise malformed."} Clearing the "SP Logout URL (optional)" field doesn't fix the problem Deleting the trust doesn't solve the problem Rebooting doesn't solve the problem
None
closed

Answers

By Carl Schmitt user 14 Jul 2015 at 12:45 p.m. CDT

Copy
Carl Schmitt gravatar
Is there a file I can edit to make the error go away?

By Aliaksandr Samuseu staff 15 Jul 2015 at 11:18 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Carl. Could you please go into more details about this part: > apt-get install gluu-server (for 2.3.1-1 OR apt-get install gluu-server=2.1-0 for another version) Does that mean you have tried these steps with several versions of Gluu, and issue was reproduced for all of them? Regards, Alex.

By Carl Schmitt user 15 Jul 2015 at 11:21 a.m. CDT

Copy
Carl Schmitt gravatar
That is correct, I tried it with both versions. I am really trying to get this up and running.

By Carl Schmitt user 15 Jul 2015 at 11:30 a.m. CDT

Copy
Carl Schmitt gravatar
<p>Basically, I did this and killed what we were going to use for prod. It took me a while to figure out exactly what I did that caused the error. I have the ability to edit config files and also modify ldap settings. I was hoping someone could tell me what to edit where to make this error go away.

By Aliaksandr Samuseu staff 15 Jul 2015 at 12:53 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Carl, we were able to reproduce it, so it will be reported as a bug to dev team. We will continue investigating its nature and I will make you know if some way to roll back your configuration to operational state will be found.

By Carl Schmitt user 15 Jul 2015 at 12:55 p.m. CDT

Copy
Carl Schmitt gravatar
I updated the url in LDAP (o=gluu->o=@![the id]->ou=clients->inum=@![the other id]->oxAuthPostLogoutRedirectURI=https://carlgluu.test/identity/authentication/finishlogout) It looks like that field is modified every time ANY SP Logout URL is updated

By Aliaksandr Samuseu staff 15 Jul 2015 at 4:26 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Yes, it worked. Thank you for sharing your findings with us, we'll try to make it fixed asap.

By Carl Schmitt user 22 Jul 2015 at 2:39 p.m. CDT

Copy
Carl Schmitt gravatar
Please see https://support.gluu.org/view/application-integration/logout-uri/1990 as it describes issues logout issues with trusts.

By Aliaksandr Samuseu staff 28 Jul 2015 at 9:59 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Sure, I'll check it out. I've reported the issue to the dev team, so I'll close this one ticket for now.

Post an answer