0 Replies Latest reply on Feb 21, 2013 4:37 PM by Andrew Cheung

    UPDATE : Salesforce logout does not log out of IDP; SingleLogoutService Location attribute has no effect

    Andrew Cheung Newbie

      Hi. I'm using Salesforce as SP, PicketLink as IDP (PIcketLink version 2.1.4 on JBoss EPP 5.2.1). Here is my scenario:

       

      1. User A logs in to the domain (mydomain-dev-ed.my.salesforce.com) and the IDP login page appears.

       

      2. User A puts in his username and password and authenticates.

       

      3. The mydomain-dev-ed.my.salesforce.com landing page appears and User A is logged into salesforce.

       

      4. User A clicks log out link and is shown the index.jsp page in the hosted folder in the IDP.

       

      SAML Tracer shows that step 4 does NOT trigger a SAML logout request in step 4, which of course will not trigger a Logout response from the IDP that logs the user out

      of the IDP.

       

       

      Details of my configurations are found below.

       

      My question is : How can I make logout to work so that User A logs out of IDP when clicking on the log out link on salesforce?

       

      Any help is appreciated.

       

        -Andrew

       

       

      EDIT : I tried (just to test if there is any effect) replacing the value of the "Location" attribute in "md:SingleLogoutService" in sp-metadata.xml by some junk data (e.g. "aaaaa") and it seems that there is NO effect on the behaviour. I wonder if PicketLink actually reads in the value for Location. (I know that the reading of this value is added since version 2.1.2).


      ---------------------------------

       

      My configurations and setup are as follows:

       

       

      Salesforce side:

       

       

       

      Issuer    http://10.141.241.83:8380/IDPSig/

      Identity Provider Certificate    CN=jbid test, OU=JBoss, O=JBoss, C=US

      Expiration: 15 Apr 2009 16:54:42 GMT         

      Identity Provider Login URL    http://10.141.241.83:8380/IDPSig/

      Identity Provider Logout URL   http://10.141.241.83:8380/IDPSig/

       

      Salesforce.com Login URL    https://login.salesforce.com/?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0

      OAuth 2.0 Token Endpoint    https://login.salesforce.com/services/oauth2/token?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0

      Entity Id    https://saml.salesforce.com

      Service Provider Initiated Request Binding    HTTP Redirect

      Salesforce.com Single Logout URL    https://login.salesforce.com/saml/logout-request.jsp?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0

       

       

      NOTE : I have to use "HTTP Redirect" due to other technical limitations of our identity management infrastructure setup

       

      IDP side :

       

      picketlink.xml :

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true"  SupportsSignatures="true">

              <IdentityURL>http://10.141.242.83:8380/IDPSig/</IdentityURL>

              <Trust>

                  <Domains>10.141.242.83,salesforce.com</Domains>

              </Trust>

              <KeyProvider

                  ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">

                  <Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />

                  <!-- <Auth Key="KeyStorePass" Value="store123" /> -->

                  <Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" />

                  <!-- <Auth Key="SigningKeyPass" Value="test123" /> -->

                  <Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" />

                  <Auth Key="SigningKeyAlias" Value="servercert" />

                  <Auth Key="salt" Value="18273645" />

                  <Auth Key="iterationCount" Value="11" />

                   <ValidatingAlias Key="10.141.242.83" Value="servercert" />

                  <ValidatingAlias Key="saml.salesforce.com" Value="salesforce-cert" />

       

              </KeyProvider>

                <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">

                 <Option Key="FileName" Value="/WEB-INF/sp-metadata.xml"/>

               </MetaDataProvider>

       

          </PicketLinkIDP>

      <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />

            <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />

          </Handlers>

       

          <!--

              The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.

              This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.

           -->

       

          <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="0" ClockSkew="0" SignToken="true">

              <TokenProviders>

                  <TokenProvider

                      ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"

                      TokenType="urn:oasis:names:tc:SAML:1.0:assertion"

                      TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />

                  <TokenProvider

                      ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"

                      TokenType="urn:oasis:names:tc:SAML:2.0:assertion"

                      TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />

              </TokenProviders>

      </PicketLinkSTS>

       

      </PicketLink>

       

      --------------------

      sp-metadata.xml    :

       

            <?xml version="1.0" encoding="UTF-8"?>

      <md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

                          xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

                          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

      <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.salesforce.com" validUntil="2022-11-12T17:27:45.865Z">

         <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

            <md:KeyDescriptor use="signing">

               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                  <ds:X509Data>

                     <ds:X509Certificate>MIIFBzCCA++gAwIBAgIQDJ4ihF+4VYzLxb+qASp7IzANBgkqhkiG9w0BAQUFADCBvDELMAk

      GA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbi

      BUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cud

      mVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRl

      cm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTExMTIwNzAwMDAwMFoXDTEzMTIwNzIzNTk

      1OVowgY4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW

      4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEUMBIGA1UECxQLQ

      XBwbGljYXRpb24xHTAbBgNVBAMUFHByb3h5LnNhbGVzZm9yY2UuY29tMIGfMA0GCSqGSIb3

      DQEBAQUAA4GNADCBiQKBgQDMoSWW4dBiVScWbXno3C6n2+qR/0O+eE4lzT0Y1go53Pk+Skn

      9sUu43Z+uZ8lOXDqmLiScTaB43ePbqIAUYimqCR9aYCLmSeNwhs68dsxcyDVqm5XIr2OZsr

      LikhNkKPno+0fuoyOWbA35kRxBFXL66tEYlF8ETIT6G3kqt7CGVwIDAQABo4IBszCCAa8wC

      QYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL1NWUklu

      dGwtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY3JsMEQGA1UdIAQ9MDswOQYLYIZ

      IAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYT

      AoBgNVHSUEITAfBglghkgBhvhCBAEGCCsGAQUFBwMBBggrBgEFBQcDAjByBggrBgEFBQcBA

      QRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcw

      AoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMG4

      GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruS

      iWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xL

      mdpZjANBgkqhkiG9w0BAQUFAAOCAQEAVq0AapffwqicpyAu41f5pWDn7FPjgIt6lirqwo7t

      LRMpxFuYKIMg+wvioJQ8DJ8mNyw+JnZDPxdVjDSkE2Lb+5Z5P9vKbD833jqKP5vniMMvHRf

      tlkCqP/AI/9z6jomgQtfm3WbI7elTFJvDwA+/VdxgU86mKRpalMWDB545GxVFiO6AZ/8dvA

      poHVHTQBfrckk9JCrH++Wq3EmErKcxzsY8LItC8qCl5HtgJy160fII0ZdF8hV5vKlrHQpo9

      1L0c1pn+z5RB+kt8GIreME2rU3WEmtZglBKrlw3ik0sXL2CO/GCAzbh7YWkEfXtE3GcGh7N

      xcHB+08lZiJzKwN/yg==</ds:X509Certificate>

                  </ds:X509Data>

               </ds:KeyInfo>

            </md:KeyDescriptor>

            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" Location="https://login.salesforce.com/?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0" index="0" isDefault="true"/>

      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET"   Location="https://login.salesforce.com/saml/logout-request.jsp?saml=MgoTx78aEPvnDiQNcygASkuiY3oa_YDaLc2f1X.6eKXclNEU6aPNH6Rgb0" index="0" isDefault="true"/>

       

       

         </md:SPSSODescriptor>

      </md:EntityDescriptor>

      </md:EntitiesDescriptor>