By: Andrew Ibarra user 12 Dec 2019 at 6:38 p.m. CST

12 Responses
Andrew Ibarra gravatar
After clicking "logout" from OnlyOffice, i'm expecting to be taken back to the onlyoffice sign in page. Instead, gluu says ```` Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. ```` i followed the guide at: https://gluu.org/docs/ce/integration/saas/onlyoffice/ i am able to login perfectly fine using Gluu toward OnlyOffice

By Michael Schwartz staff 12 Dec 2019 at 8:41 p.m. CST

Michael Schwartz gravatar
Can you reference a screenshot of how you configured the SAML SP in oxTrust? Also, what did you check the idp log file? Any interesting messages?

By Andrew Ibarra user 12 Dec 2019 at 10:34 p.m. CST

Andrew Ibarra gravatar
Please see screen shots at https://drive.google.com/drive/folders/1L7rUbVE2rrbdXSS5vbZCi92RRRPKZkE3?usp=sharing from idp-warn.log ```` 2019-12-13 04:31:24,703 - 24.4.17.23 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/logout is not available for RP configuration EntityNames[http://onlyoffice.inctrg.io/sso/metadata,] (RPID http://onlyoffice.inctrg.io/sso/metadata) 2019-12-13 04:31:24,708 - 24.4.17.23 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration ```` from idp-process.log ```` 2019-12-13 04:31:24,703 - 24.4.17.23 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/logout is not available for RP configuration EntityNames[http://onlyoffice.inctrg.io/sso/metadata,] (RPID http://onlyoffice.inctrg.io/sso/metadata) 2019-12-13 04:31:24,708 - 24.4.17.23 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration ```` thanks!

By Sahil Arora staff 13 Dec 2019 at 7:16 a.m. CST

Sahil Arora gravatar
Hi Andrew, I see that you're using Single Logout setting in OnlyOffice. For SLO to work, You'll have to enable SLO on Gluu side as well. Please follow [this](https://gluu.org/docs/ce/4.0/admin-guide/saml/#saml-single-logout) link to enable SLO

By Andrew Ibarra user 13 Dec 2019 at 11:45 a.m. CST

Andrew Ibarra gravatar
Hello, I added the SLO to my Trust Relationship, as per SLO guide. https://drive.google.com/open?id=1A5H42Zdc2l0VY3Cjjh3faKcIJkfiJV1w When i attempt the logout action now, i get the following error: ```` tail /opt/shibboleth-idp/logs/idp-warn.log 2019-12-13 17:40:07,044 - 12.208.165.141 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated at org.opensaml.messaging.handler.impl.CheckMandatoryAuthentication.doInvoke(CheckMandatoryAuthentication.java:70) 2019-12-13 17:40:07,048 - 12.208.165.141 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: MessageAuthenticationError ```` thank you, -Andrew

By Sahil Arora staff 13 Dec 2019 at 6:33 p.m. CST

Sahil Arora gravatar
Hi Andrew, SLO url on OnlyOffice side must be set to "https://[Gluuhostname]/idp/Authn/oxAuth/logout" and binding as "Redirect". Please make these changes and share fiddler trace logs, along with error screenshot? Thanks Sahil

By Andrew Ibarra user 13 Dec 2019 at 10:15 p.m. CST

Andrew Ibarra gravatar
Hello, I made the changes. clicking "logout", now correctly takes me to this screen: https://drive.google.com/open?id=1pNNLxHOh8kRUG6IsSbNnK8bZunB_txEA but, after clicking yes (or waiting) https://drive.google.com/open?id=11Pimqohzj2AvkvQhLIbF_7XWgn9xI85V although the logout has succeeded. i'm not sure where the trace log are. i checked the other log files like (/opt/shibboleth-idp/logs/idp-warn.log), and didn't see new errors Thanks, -Andrew

By Sahil Arora staff 14 Dec 2019 at 11:33 a.m. CST

Sahil Arora gravatar
Good to know that SLO has worked. I'm now checking how to redirect user to login page after successful logoff. I'd need your SP metadata file to see what SLO service has been configured. And, network trace logs can be captured with fiddler tool, or [chrome](https://support.zendesk.com/hc/en-us/articles/204410413-Generating-a-HAR-file-for-troubleshooting)

By Andrew Ibarra user 14 Dec 2019 at 5:47 p.m. CST

Andrew Ibarra gravatar
SP meta data: ```` <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://onlyoffice.inctrg.io/sso/metadata"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://onlyoffice.inctrg.io/sso/slo/callback"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://onlyoffice.inctrg.io/sso/slo/callback"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://onlyoffice.inctrg.io/sso/acs" index="0"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://onlyoffice.inctrg.io/sso/acs" index="1"/> <AttributeConsumingService index="1"> <ServiceName xml:lang="en">Gluu and only office sso</ServiceName> <RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <RequestedAttribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <RequestedAttribute FriendlyName="mobile" Name="urn:oid:0.9.2342.19200300.100.1.41" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <RequestedAttribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <RequestedAttribute FriendlyName="l" Name="urn:oid:2.5.4.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </AttributeConsumingService> </SPSSODescriptor> </EntityDescriptor> ```` here is the HAR file from chrome https://drive.google.com/open?id=1ty4vEGzc43CEq4hXAsrEcAiFeL-k6MY1 its only the document requests after once i click "logout" from onlyoffice interface thanks!

By Mohib Zico staff 16 Dec 2019 at 8:52 a.m. CST

Mohib Zico gravatar
Andrew, Please 'trace' `idp-process.log` with DEBUG mode. This cross button generally means: - Logout completed from IDP side but SP isn't responding when IDP trying to complete SSO. - It might be due to: - Your SP is not configured properly to handle SLO. - Or, your SP doesn't even support SLO. - Or, there is some name resolution issue and/or network issue.

By Andrew Ibarra user 18 Dec 2019 at 5:53 p.m. CST

Andrew Ibarra gravatar
Hmm... i follow the directions here (https://gluu.org/docs/ce/4.0/operation/logs/) to set logging to DEBUG, but i'm only seeing "INFO" level logs: ```` tail /opt/shibboleth-idp/logs/idp-process.log 2019-12-18 23:18:51,698 - 12.208.165.141 - INFO [Shibboleth-Audit.SSO:275] - 20191218T231851Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_cdf1a76a-39a1-4271-a82c-a69c18df68cf|http://onlyoffice.inctrg.io/sso/metadata|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://gluu.inctrg.io/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_677ce68f4d746fafb139335a7b68509e|Andrew|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|mail,givenName,sn|AAdzZWNyZXQxTzSOgQWhZrFZFMACSepKu10yoBgn9//EMZI7Ph7s9EZdqr1VH+3tIkBMSN5NiXSN1ghml6X/57xokjycJYfzUQQLgA0IL9R8QHmqYVjmN6HB7xY4k6gvWfPnNDxxufgq5ewaCaJcm7TYMo+big==|_f13db0d42f08cdde1b8b4c3d7a1b110c|false 2019-12-18 23:19:10,930 - 12.208.165.141 - INFO [Shibboleth-Audit.Logout:275] - 20191218T231910Z||||http://shibboleth.net/ns/profiles/logout||||Andrew||||| 2019-12-18 23:19:14,030 - 12.208.165.141 - INFO [Shibboleth-Audit.LogoutPropagation:275] - 20191218T231914Z|||http://onlyoffice.inctrg.io/sso/metadata|http://shibboleth.net/ns/profiles/saml2/logout|https://gluu.inctrg.io/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_6a4e7ef1725766fef85ce6e8bcf30c56||||AAdzZWNyZXQxTzSOgQWhZrFZFMACSepKu10yoBgn9//EMZI7Ph7s9EZdqr1VH+3tIkBMSN5NiXSN1ghml6X/57xokjycJYfzUQQLgA0IL9R8QHmqYVjmN6HB7xY4k6gvWfPnNDxxufgq5ewaCaJcm7TYMo+big==||false ````

By Sahil Arora staff 20 Dec 2019 at 10:15 a.m. CST

Sahil Arora gravatar
HI Andrew, We're trying to replicate on our local instance, and update documentation accordingly. I will keep you posted. Thank you.

By Mohib Zico staff 07 Jan 2020 at 2:03 a.m. CST

Mohib Zico gravatar
SLO doesn't work for OnlyOffice. Reason is: During Logout, there is two way communication happens... Gluu Server send LogoutRequest to SP, SP response back with LogoutResponse and then SLO happens in Gluu Server. In this case, OnlyOffice not sending LogoutResponse. I tried to reach their support but we need 'paid subscription' to get any kind of support, which I don't have. If anyone of you have paid subscription, please let me know.. so we will try to figure out SLO issues with them.