UPDATE : Salesforce logout does not log out of IDP; SingleLogoutService Location attribute has no effect
Hi. I'm using Salesforce as SP, PicketLink as IDP (PIcketLink version 2.1.4 on JBoss EPP 5.2.1). Here is my scenario:
1. User A logs in to the domain (mydomain-dev-ed.my.salesforce.com) and the IDP login page appears.
2. User A puts in his username and password and authenticates.
3. The mydomain-dev-ed.my.salesforce.com landing page appears and User A is logged into salesforce.
4. User A clicks log out link and is shown the index.jsp page in the hosted folder in the IDP.
SAML Tracer shows that step 4 does NOT trigger a SAML logout request in step 4, which of course will not trigger a Logout response from the IDP that logs the user out
of the IDP.
Details of my configurations are found below.
My question is : How can I make logout to work so that User A logs out of IDP when clicking on the log out link on salesforce?
Any help is appreciated.
-Andrew
EDIT : I tried (just to test if there is any effect) replacing the value of the "Location" attribute in "md:SingleLogoutService" in sp-metadata.xml by some junk data (e.g. "aaaaa") and it seems that there is NO effect on the behaviour. I wonder if PicketLink actually reads in the value for Location. (I know that the reading of this value is added since version 2.1.2).
---------------------------------
My configurations and setup are as follows:
Salesforce side:
Issuer http://10.141.241.83:8380/IDPSig/
Identity Provider Certificate CN=jbid test, OU=JBoss, O=JBoss, C=US
Expiration: 15 Apr 2009 16:54:42 GMT
Identity Provider Login URL http://10.141.241.83:8380/IDPSig/
Identity Provider Logout URL http://10.141.241.83:8380/IDPSig/
Salesforce.com Login URL https://login.salesforce.com/?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0
OAuth 2.0 Token Endpoint https://login.salesforce.com/services/oauth2/token?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0
Entity Id https://saml.salesforce.com
Service Provider Initiated Request Binding HTTP Redirect
Salesforce.com Single Logout URL https://login.salesforce.com/saml/logout-request.jsp?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0
NOTE : I have to use "HTTP Redirect" due to other technical limitations of our identity management infrastructure setup
IDP side :
picketlink.xml :
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true" SupportsSignatures="true">
<IdentityURL>http://10.141.242.83:8380/IDPSig/</IdentityURL>
<Trust>
<Domains>10.141.242.83,salesforce.com</Domains>
</Trust>
<KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
<!-- <Auth Key="KeyStorePass" Value="store123" /> -->
<Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" />
<!-- <Auth Key="SigningKeyPass" Value="test123" /> -->
<Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" />
<Auth Key="SigningKeyAlias" Value="servercert" />
<Auth Key="salt" Value="18273645" />
<Auth Key="iterationCount" Value="11" />
<ValidatingAlias Key="10.141.242.83" Value="servercert" />
<ValidatingAlias Key="saml.salesforce.com" Value="salesforce-cert" />
</KeyProvider>
<MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
<Option Key="FileName" Value="/WEB-INF/sp-metadata.xml"/>
</MetaDataProvider>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
<!--
The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.
This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.
-->
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="0" ClockSkew="0" SignToken="true">
<TokenProviders>
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:1.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:2.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
</TokenProviders>
</PicketLinkSTS>
</PicketLink>
--------------------
sp-metadata.xml :
<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.salesforce.com" validUntil="2022-11-12T17:27:45.865Z">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFBzCCA++gAwIBAgIQDJ4ihF+4VYzLxb+qASp7IzANBgkqhkiG9w0BAQUFADCBvDELMAk
GA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbi
BUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cud
mVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRl
cm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTExMTIwNzAwMDAwMFoXDTEzMTIwNzIzNTk
1OVowgY4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW
4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEUMBIGA1UECxQLQ
XBwbGljYXRpb24xHTAbBgNVBAMUFHByb3h5LnNhbGVzZm9yY2UuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDMoSWW4dBiVScWbXno3C6n2+qR/0O+eE4lzT0Y1go53Pk+Skn
9sUu43Z+uZ8lOXDqmLiScTaB43ePbqIAUYimqCR9aYCLmSeNwhs68dsxcyDVqm5XIr2OZsr
LikhNkKPno+0fuoyOWbA35kRxBFXL66tEYlF8ETIT6G3kqt7CGVwIDAQABo4IBszCCAa8wC
QYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL1NWUklu
dGwtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY3JsMEQGA1UdIAQ9MDswOQYLYIZ
IAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYT
AoBgNVHSUEITAfBglghkgBhvhCBAEGCCsGAQUFBwMBBggrBgEFBQcDAjByBggrBgEFBQcBA
QRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcw
AoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMG4
GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruS
iWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xL
mdpZjANBgkqhkiG9w0BAQUFAAOCAQEAVq0AapffwqicpyAu41f5pWDn7FPjgIt6lirqwo7t
LRMpxFuYKIMg+wvioJQ8DJ8mNyw+JnZDPxdVjDSkE2Lb+5Z5P9vKbD833jqKP5vniMMvHRf
tlkCqP/AI/9z6jomgQtfm3WbI7elTFJvDwA+/VdxgU86mKRpalMWDB545GxVFiO6AZ/8dvA
poHVHTQBfrckk9JCrH++Wq3EmErKcxzsY8LItC8qCl5HtgJy160fII0ZdF8hV5vKlrHQpo9
1L0c1pn+z5RB+kt8GIreME2rU3WEmtZglBKrlw3ik0sXL2CO/GCAzbh7YWkEfXtE3GcGh7N
xcHB+08lZiJzKwN/yg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" Location="https://login.salesforce.com/?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0" index="0" isDefault="true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" Location="https://login.salesforce.com/saml/logout-request.jsp?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>