By: Hao Bin Kwan Account Admin 22 Feb 2017 at 12:33 a.m. CST

6 Responses

Hi, I tried to implement logout from SP but can't get it to work. The link that I used to logout from SP is https://<hostname>/Shibboleth.sso/Logout And this is the error observed from wrapper.log (gluu): ``` INFO | jvm 1 | 2017/02/22 14:28:20 | (ASIMBAWA) [2017-02-22 14:28:19] [DEBUG] OAServlet Processing: profiles request INFO | jvm 1 | 2017/02/22 14:28:20 | (ASIMBAWA) [2017-02-22 14:28:19] [DEBUG] SingleLogout Binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect INFO | jvm 1 | 2017/02/22 14:28:20 | (ASIMBAWA) [2017-02-22 14:28:19] [DEBUG] SingleLogout <?xml version="1.0" encoding="UTF-8"?> INFO | jvm 1 | 2017/02/22 14:28:20 | <samlp:LogoutRequest INFO | jvm 1 | 2017/02/22 14:28:20 | Destination="https://gdc-shib-gluu/asimba/profiles/saml2/sso/logout" INFO | jvm 1 | 2017/02/22 14:28:20 | ID="_e83f07186ab75bee24beaad8368e2cfe" INFO | jvm 1 | 2017/02/22 14:28:20 | IssueInstant="2017-02-22T06:28:19Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> INFO | jvm 1 | 2017/02/22 14:28:20 | <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://gdc-web-test1/shibboleth</saml:Issuer> INFO | jvm 1 | 2017/02/22 14:28:20 | <samlp:Extensions> INFO | jvm 1 | 2017/02/22 14:28:20 | <aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"/> INFO | jvm 1 | 2017/02/22 14:28:20 | </samlp:Extensions> INFO | jvm 1 | 2017/02/22 14:28:20 | <saml2:NameID INFO | jvm 1 | 2017/02/22 14:28:20 | Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" INFO | jvm 1 | 2017/02/22 14:28:20 | NameQualifier="https://gdc-shib-gluu/asimba/profiles/saml2" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">_ba52cd1fed356df5baece7b9d2bf89ee!https://gdc-web-test1/shibboleth</saml2:NameID> INFO | jvm 1 | 2017/02/22 14:28:20 | <samlp:SessionIndex>_ed4u9LGbCQJWTwWf3-d3eZnqcxzJLaRrS2pbCxG3MrejXOuV-XwT-u9QYYpdJfFqu1Oy5An2z5xRyUbf-dIFw_T_c96ifvvZgA1JDVbgYerlkFDWCqbZovTvNhnLqkyrIouA2CnoaspgRVNTmxCNGeKHTQVo806gvYGdOAw_szORFZvx7jvx-wLIRl6v-KinEkoCMdzrl6Ntg349i_zYV-R6f-BWGcjgREQRjvBYLAo-alcL7xCBf69TjlWlQ6zHoRfR7jUbT4oLjQo-M2DSAhyV75chPHkoxQFEK4ozJF7CAccGhcGDq6jrHmTj19pc_uWBha1fRMS3xthy3Je94g</samlp:SessionIndex> INFO | jvm 1 | 2017/02/22 14:28:20 | </samlp:LogoutRequest> INFO | jvm 1 | 2017/02/22 14:28:20 | INFO | jvm 1 | 2017/02/22 14:28:20 | (ASIMBAWA) [2017-02-22 14:28:19] [DEBUG] SingleLogout LogoutRequest MUST be signed if the HTTP POST or Redirect binding is used INFO | jvm 1 | 2017/02/22 14:28:20 | (ASIMBAWA) [2017-02-22 14:28:19] [DEBUG] SingleLogout Security error INFO | jvm 1 | 2017/02/22 14:28:20 | com.alfaariss.oa.util.saml2.SAML2SecurityException: REQUEST_INVALID INFO | jvm 1 | 2017/02/22 14:28:20 | at com.alfaariss.oa.profile.saml2.profile.sso.SingleLogout.processSAMLRequest(SingleLogout.java:292) INFO | jvm 1 | 2017/02/22 14:28:20 | at com.alfaariss.oa.profile.saml2.profile.sso.SingleLogout.process(SingleLogout.java:203) INFO | jvm 1 | 2017/02/22 14:28:20 | at com.alfaariss.oa.profile.saml2.SAML2Profile.service(SAML2Profile.java:281) INFO | jvm 1 | 2017/02/22 14:28:20 | at com.alfaariss.oa.OAServlet.service(OAServlet.java:245) INFO | jvm 1 | 2017/02/22 14:28:20 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) INFO | jvm 1 | 2017/02/22 14:28:20 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) INFO | jvm 1 | 2017/02/22 14:28:20 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) INFO | jvm 1 | 2017/02/22 14:28:20 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) INFO | jvm 1 | 2017/02/22 14:28:20 | at java.lang.Thread.run(Thread.java:745) INFO | jvm 1 | 2017/02/22 14:28:20 | (ASIMBAWA) [2017-02-22 14:28:19] [INFO] EventLogger null, null, null, null, null, 172.16.87.197, 2, REQUEST_INVALID, null, SAML2 Profile, Security Fault ``` Does this mean I need to upload SP cert into SP requestor of Gluu? Any help is greatly appreciated.

CentOS72

closed

By Mohib Zico Account Admin 22 Feb 2017 at 4:52 a.m. CST

Copy

There was an [issue](https://github.com/GluuFederation/gluu-Asimba/issues/25) in 2.4.4. It's fixed in 2.4.4.2. However we will publish a asimba logout doc for community.

By Aliaksandr Samuseu staff 22 Feb 2017 at 11:35 a.m. CST

Copy

I'll try to reproduce it first in local setup.

By Hao Bin Kwan Account Admin 23 Feb 2017 at 12:42 a.m. CST

Copy

Hi, Thanks for the quick response! Have you managed to reproduced in your local setup? About the fix, may I know how can I patch it to my current version (2.4.4)? Indeed a doc would be awesome in this case regarding asimba logout. Look forward to it (can you paste the link here once it's up?). Thank you :)

By Aliaksandr Samuseu staff 23 Feb 2017 at 5:34 p.m. CST

Copy

Hi, Hao. I must ask you to provide more details on your setup. Could you refer to actual doc page at Gluu docs portal which you used to configure this very setup? Please also provide configuration files for your Shibboleth SP instance (`shibboleth2.xml` alone will do, I guess), and let me know what actually you did to it when you (I'm quoting your words) "tried to implement logout from SP". May be you also followed some doc, step by step? Please share link to this document too, then. Also, brief explanation of you actions that trigger the issue would be helpful. >may I know how can I patch it to my current version (2.4.4) You can patch your instance to verstion 2.4.4.2 (2.4.4+SP2), then either wait till the SP3 updater is released, or update some Java apps in container manually. For you must use `gluu-updater-2.4.4` package for corresponding Linux distro. I'll provided you steps if required. But first let's sort out this issue, I'll try to make sure it's indeed fixed in latest package.

By Hao Bin Kwan Account Admin 28 Feb 2017 at 4:17 a.m. CST

Copy

Hi Aliaksandr, FYI: My current setup of Gluu+Asimba as follows: > SP -> Gluu --interception script-> Asimba -> External IDP _I also patched Gluu to 2.4.4 sp1 (I read somewhere in the support forum it's needed for logout to work properly)_ **Here goes my other setup:** I've implemented the logout on protected page on SP, in shibboleth2.xml this is by default added: ```  <Logout>SAML2 Local</Logout> ``` I then added a clickable link on the protected page (/secure/index.php) like below (which should log user out from both SP and IDP theoretically): ``` https://<sp host>/Shibboleth.sso/Logout?return=https://<gluu>/idp/logout.jsp ``` This works fine ie. I can see it shows "**Local Logout**" (SP) and then redirected to Gluu's "**Logged Out**" page in green with url (https://<gluu>/identity/authentication/finishlogout) However, when I try to access the protected page (/secure) again, somehow I'm logged in without going through asimba or IDP login page. P/s: I can actually see the shibsession cookie is 'destroyed' upon local logout on SP but set_cookie kicks in when I goto the protected page again. The only way to kill the session now is by closing all the browser windows.

By Aliaksandr Samuseu staff 28 Feb 2017 at 12:28 p.m. CST

Copy

Thanks, Hao. Let me look into it.

You need to Login in order to post an answer

SP logout from Asimba

By: Hao Bin Kwan Account Admin 22 Feb 2017 at 12:33 a.m. CST

Answers

By Mohib Zico Account Admin 22 Feb 2017 at 4:52 a.m. CST

By Aliaksandr Samuseu staff 22 Feb 2017 at 11:35 a.m. CST

By Hao Bin Kwan Account Admin 23 Feb 2017 at 12:42 a.m. CST

By Aliaksandr Samuseu staff 23 Feb 2017 at 5:34 p.m. CST

By Hao Bin Kwan Account Admin 28 Feb 2017 at 4:17 a.m. CST

By Aliaksandr Samuseu staff 28 Feb 2017 at 12:28 p.m. CST

Post an answer