Hi John, It is actually not that problem in finding SessionIndex value from the request. Apparently there is a problem of finding the Session Index from SSOTokenID cookie. I will analyze the trace and get back to you as quickly as possible.
Thanks. On Thu, Nov 19, 2015 at 9:38 PM, John Lee <jhn134...@gmail.com> wrote: > Any further ideas on this? > If the samlssoTokenId is missing, should you get the sessionIndex from the > Logout Request message in this case? > > On Tue, Nov 17, 2015 at 3:22 PM, John Lee <jhn134...@gmail.com> wrote: > >> Hello there Chamara, >> I'm using IS 5.0.0, but it was patched to support SAML IdP initiated SLO >> (WSO2-CARBON-PATCH-4.2.0-1456.zip >> <https://protect-eu.mimecast.com/redirect/eNpVzL0KwjAUQOF3uXMTNLaCnaxZBMGKPziX20uNJLkhTRbFdzeDi-Phg_OGiCFBC09-eGmJtgbZB4sS2UEFYcCC-nbYNN2qNOY5saOIPNIfBDNCqyqINBn2hULkRJgEZemMIxzm9HvmaIvfL70Sujvv-qM4dVe9F7VUciGWdbOWLxPg8wUqCi_M> >> ). >> The request SSO trace is attached. >> Let me know if you spot anything unusual. >> Thanks, >> John. >> >> On Tue, Nov 17, 2015 at 4:53 AM, Chamara Philips <chama...@wso2.com> >> wrote: >> >>> Hi John, >>> >>> Which IS version did you try exactly? >>> >>> Since we verify the request parameters with the cookie, we need to see >>> whether something has happened in that verification. SSO tracer will help >>> in this issue. Can you please add the sso tracer plugin to the firefox, if >>> you haven't already. >>> >>> - Install the sso tracer from [1] >>> - Start both servers and open firefox >>> - Go to Tools -> SSO Tracer. New window will be opened. Leave it >>> opened and goto firefox and continue with logging to travelocity app. >>> (Only >>> the step 6 under the heading 'Setting up an application as the SP in the >>> primary IS' at [2] is needed.) Then issue the LogOut request as you did >>> before. >>> - Then open the SSO Tracer window again. >>> - Click the save button and save the trace as a text file. >>> >>> Please attach the text file. It will be really helpful to come to the >>> final decision about what is really going under. >>> >>> [1] https://addons.mozilla.org/en-US/firefox/addon/sso-tracer/ >>> [2] >>> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >>> >>> Thanks. >>> >>> On Tue, Nov 17, 2015 at 7:53 AM, Chamara Philips <chama...@wso2.com> >>> wrote: >>> >>>> Hi John, >>>> >>>> Since we verify the request parameters with the cookie, we need to see >>>> whether something has happened in that verification. SSO tracer will help >>>> in this issue. Can you please add the sso tracer plugin to the firefox, if >>>> you haven't already. ( You can refer [1] if needed). >>>> Please take the sso tracer and send the SAML requests and responses. It >>>> will be really helpful to come to the final decision about what is really >>>> going under. Also note that IdP initiated SLO option is given from IS >>>> 5.1.0. IS 5.0.0 has Enable IdP initiated SSO only. Which version did you >>>> try exactly? >>>> >>>> [1] >>>> https://ping.force.com/Support/PingOne/PingOne-General/PingOne-How-do-I-use-SSO-Tracer-SAML-Tracer-and-Live-HTTP-Headers-to-Troubleshoot-PingOne-Issues >>>> >>>> Thanks. >>>> >>>> On Mon, Nov 16, 2015 at 3:53 PM, John Lee <jhn134...@gmail.com> wrote: >>>> >>>>> Just to mention that I'm proxying re-directs with apache web servers >>>>> at both domains. So requests from primary to secondary go through apache >>>>> web server in the secondary domain, and responses from the secondary are >>>>> proxied through the web server of the primary domain. In the example >>>>> provided in the documentation both identity servers are communicating >>>>> directly. ( >>>>> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >>>>> ) >>>>> >>>>> I'll first provide some more debug level logs captured immediately >>>>> after the logout operation, and then I'll outline my configuration. >>>>> >>>>> Logs at Primary IS >>>>> ============== >>>>> TID: [0] [IS] [2015-11-16 09:49:53,918] DEBUG >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - >>>>> Query >>>>> string : slo=true&spEntityID=https%3A%2F% >>>>> 2Fservices.firecrestclinical.com%2Fsp%2Ffcp >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,920] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> - Session Data removing Task is started to run >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,923] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> - Session Data persisting Task is started to run >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,934] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - retrieving authentication request from cache.. >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,934] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} >>>>> - >>>>> Inbound Request parameters: >>>>> commonAuthCallerPath={%2Fsamlsso} >>>>> commonAuthLogout={true} >>>>> relyingParty={https://services.firecrestclinical.com/sp/fcp} >>>>> slo={true} >>>>> spEntityID={https://services.firecrestclinical.com/sp/fcp} >>>>> {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,934] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Initializing the flow >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,934] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Framework contextId: 02df94c5-8b91-40d5-b3b3-02c87eeeded4 >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,934] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Starting a logout flow >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,936] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - commonAuthId cookie is available with the value: >>>>> 6fd45432-66a9-45ee-9a4c-bdb53b4a9f62 >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,937] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Service Provider is: firecrest_sp >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,937] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - A previously authenticated sequence found for the SP: firecrest_sp >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,937] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Already authenticated by username: >>>>> User-395372cd-3919-46af-967f-6a28633d442b >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,937] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Outbound Query String: >>>>> commonAuthCallerPath=%252Fsamlsso&commonAuthLogout=true&relyingParty=https%3A%2F% >>>>> 2Fservices.firecrestclinical.com >>>>> %2Fsp%2Ffcp&slo=true&spEntityID=https%3A%2F% >>>>> 2Fservices.firecrestclinical.com >>>>> %2Fsp%2Ffcp&type=samlsso&sessionDataKey=02df94c5-8b91-40d5-b3b3-02c87eeeded4&relyingParty= >>>>> https://services.firecrestclinical.com/sp/fcp&type=samlsso&sp=firecrest_sp&isSaaSApp=false >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,937] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} >>>>> - Trying to find the IdP for name: exostar_idp >>>>> {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,937] DEBUG >>>>> {org.wso2.carbon.idp.mgt.dao.CacheBackedIdPMgtDAO} - Cache entry found >>>>> for >>>>> Identity Provider exostar_idp >>>>> {org.wso2.carbon.idp.mgt.dao.CacheBackedIdPMgtDAO} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,938] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} >>>>> - A registered IdP was found >>>>> {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} >>>>> TID: [0] [IS] [2015-11-16 09:49:53,942] DEBUG >>>>> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >>>>> - SAML Request : <?xml version="1.0" encoding="UTF-8"?> >>>>> <saml2p:LogoutRequest Destination=" >>>>> https://validation-testing.firecrestclinical.com/samlsso" >>>>> ID="pegdphndejdlofffmmdhdjcjjdjgjkmkcppagnkf" >>>>> IssueInstant="2015-11-16T09:49:53.938Z" >>>>> NotOnOrAfter="2015-11-16T09:54:53.938Z" Reason="Single Logout" >>>>> Version="2.0" >>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer >>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">firecrest >>>>> IS</saml2:Issuer><saml2:NameID >>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">tes...@fctest.com</saml2:NameID><saml2p:SessionIndex>f19b7270-c61a-40b1-8e2a-fd9113a983fb</saml2p:SessionIndex></saml2p:LogoutRequest> >>>>> {org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager} >>>>> >>>>> >>>>> Logs at Secondary IS >>>>> ================= >>>>> TID: [0] [IS] [2015-11-16 09:49:28,010] DEBUG >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - >>>>> Query >>>>> string : >>>>> SAMLRequest=nZLLTsMwEEX3fIXlvds4baGxmgBShRSJh0QLC3auH6nTxA4eF8HfE6eU14IFG8se37m6PuPF%2BWvboBflwTibYzpKMFJWOGlsleOH9RWZ4%2FPiZAG8bdKOXbvK7cO9et4rCGjZL8byMLRuQ%2BiAjccvvDFyqJEw3FcjbbwSvj%2BIxlgjeDMSrh1HSwCHUbnMcacq2W2tVLVsnNa6beVW1qKuZV3Vu3Ynuo5Xdqd7NcBelRYCtyHHaUJnhFJCT9dJxqYZm01G2WT%2BhNGtC3f2zl%2FqoPxv3Wz6pbtXHGL%2BVZ%2B0UejwQowej0jSiKSHZIEdIOR47y1zHAwwy1sFLAi2ury5Zr2Udd4FJ1yDiwMzNuT13x3%2BNuAAykd8uPjkhsrVYvzd7mh%2B27eXS3TlfMvD376xYiTRg5QpG0x4w%2F%2BKFceazi60iJs4ymO2Q5ri%2BFlWCiLCsp%2Fqa6FptjlLzxIiTikn02RDyVylnGiZUTrh2XyiNx8%2Bvzo%2Fqz8%2BX%2FEO&RelayState=02df94c5-8b91-40d5-b3b3-02c87eeeded4&SigAlg=http%3A%2F% >>>>> 2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=pjRSvOApLwHb1%2BZ6dcwJmY62zXAaKobHe%2F7%2FjCKCxknfeUnOuUfkwKtKrEubezGjSGjrF%2FatJ91lU3vLNVfO4jkzX0Nl%2FEcNbe7ITH%2FeZYVjS1VdXnAj7amoI%2FAAZ1cRrXQ2NDwZuUHDsLO9dWy4JrSYeiZzMpJKweBeKsSh%2BWiyq0c2%2Bju96xFJ4c1U3IdmcY1jyxphh1%2FQQxSsB2w8WS70cNH3sXgMVZb8Ke%2BvbG%2Fkm%2Fb%2B0gJGQx8HFZ8pGKOoC70ih0p%2FvwBNhAFhJsqJVpuW0lpPtto99fwBN%2FOIr9Qqgdr7I9%2Bgs%2BAOI88j0rqOotGZjmgrdPB1rOaLMU8ghA%3D%3D >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,011] DEBUG >>>>> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message >>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>> <saml2p:LogoutRequest Destination=" >>>>> https://validation-testing.firecrestclinical.com/samlsso" >>>>> ID="pegdphndejdlofffmmdhdjcjjdjgjkmkcppagnkf" >>>>> IssueInstant="2015-11-16T09:49:53.938Z" >>>>> NotOnOrAfter="2015-11-16T09:54:53.938Z" Reason="Single Logout" >>>>> Version="2.0" >>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer >>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">firecrest >>>>> IS</saml2:Issuer><saml2:NameID >>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">tes...@fctest.com</saml2:NameID><saml2p:SessionIndex>f19b7270-c61a-40b1-8e2a-fd9113a983fb</saml2p:SessionIndex></saml2p:LogoutRequest> >>>>> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,023] ERROR >>>>> {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor} - >>>>> Session index value not found in the request >>>>> {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,032] DEBUG >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - >>>>> Invalid SAML SSO Logout Request >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,033] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> - Session Data persisting Task is started to run >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,033] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> - Session Data removing Task is started to run >>>>> {org.wso2.carbon.identity.application.authentication.framework.store.SessionDataPersistTask} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,108] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - retrieving authentication request from cache.. >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,108] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} >>>>> - >>>>> Inbound Request parameters: >>>>> RelayState={02df94c5-8b91-40d5-b3b3-02c87eeeded4} >>>>> >>>>> SAMLRequest={nZLLTsMwEEX3fIXlvds4baGxmgBShRSJh0QLC3auH6nTxA4eF8HfE6eU14IFG8se37m6PuPF+WvboBflwTibYzpKMFJWOGlsleOH9RWZ4/PiZAG8bdKOXbvK7cO9et4rCGjZL8byMLRuQ+iAjccvvDFyqJEw3FcjbbwSvj+IxlgjeDMSrh1HSwCHUbnMcacq2W2tVLVsnNa6beVW1qKuZV3Vu3Ynuo5Xdqd7NcBelRYCtyHHaUJnhFJCT9dJxqYZm01G2WT+hNGtC3f2zl/qoPxv3Wz6pbtXHGL+VZ+0UejwQowej0jSiKSHZIEdIOR47y1zHAwwy1sFLAi2ury5Zr2Udd4FJ1yDiwMzNuT13x3+NuAAykd8uPjkhsrVYvzd7mh+27eXS3TlfMvD376xYiTRg5QpG0x4w/+KFceazi60iJs4ymO2Q5ri+FlWCiLCsp/qa6FptjlLzxIiTikn02RDyVylnGiZUTrh2XyiNx8+vzo/qz8+X/EO} >>>>> SigAlg={http://www.w3.org/2000/09/xmldsig#rsa-sha1} >>>>> >>>>> Signature={pjRSvOApLwHb1+Z6dcwJmY62zXAaKobHe/7/jCKCxknfeUnOuUfkwKtKrEubezGjSGjrF/atJ91lU3vLNVfO4jkzX0Nl/EcNbe7ITH/eZYVjS1VdXnAj7amoI/AAZ1cRrXQ2NDwZuUHDsLO9dWy4JrSYeiZzMpJKweBeKsSh+Wiyq0c2+ju96xFJ4c1U3IdmcY1jyxphh1/QQxSsB2w8WS70cNH3sXgMVZb8Ke+vbG/km/b+0gJGQx8HFZ8pGKOoC70ih0p/vwBNhAFhJsqJVpuW0lpPtto99fwBN/OIr9Qqgdr7I9+gs+AOI88j0rqOotGZjmgrdPB1rOaLMU8ghA==} >>>>> commonAuthCallerPath={%2Fsamlsso} >>>>> commonAuthLogout={true} >>>>> {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,109] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Initializing the flow >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,109] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Framework contextId: 076e7853-3b12-46e7-b1d8-1b96b75139a2 >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,109] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - Starting a logout flow >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,109] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> - relyingParty param is null. This is a possible logout scenario. >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,111] DEBUG >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultLogoutRequestHandler} >>>>> - Sending response back to: /samlsso... >>>>> commonAuthLoggedOut: true >>>>> sessionDataKey: 6d05e72f-d8c2-4e25-883c-bca06ef649b9 >>>>> {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultLogoutRequestHandler} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,139] DEBUG >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - >>>>> Query >>>>> string : sessionDataKey=6d05e72f-d8c2-4e25-883c-bca06ef649b9 >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} >>>>> TID: [0] [IS] [2015-11-16 09:49:28,141] WARN >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - >>>>> Redirecting to default logout page due to a invalid logout request >>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} >>>>> >>>>> Configuration of Secondary IDP in primary IS >>>>> =================================== >>>>> Identity Provider Name = exostar_idp >>>>> Home Realm Identifier = validation-testing.firecrestclinical.com >>>>> Enable Assertion Encryption = true >>>>> Enable Logout = true >>>>> Enable Logout request Signing = true >>>>> SSO URL = https://validation-testing.firecrestclinical.com/samlsso >>>>> (i.e. shall be proxied by apache to WSO2 Secondary IS) >>>>> Logout URL = https://validation-testing.firecrestclinical.com/samlsso >>>>> (i.e. shall be proxied by apache to WSO2 Secondary IS) >>>>> Enable Response Signing = true >>>>> Enable Assertion Signing = true >>>>> Enable Request Signing = true >>>>> SAML2 Web SSO User Id Location = false >>>>> Identity Provider Entity Id = exostar IDP >>>>> HTTP Binding = redirect >>>>> Service Provider Entity Id = firecrest IS >>>>> >>>>> The I have a federated authenticator configured for the service >>>>> provider to allow a user to login via the secondary IDP. >>>>> >>>>> Configuration of resident identity provider in secondary IS >>>>> ============================================ >>>>> Home Realm Identifier = validation-testing.firecrestclinical.com >>>>> Identity Provider ID = >>>>> https://validation-testing.firecrestclinical.com/idp/fcp >>>>> SSO URL = https://validation-testing.firecrestclinical.com:443/samlsso >>>>> Logout URL = >>>>> https://validation-testing.firecrestclinical.com:443/samlsso >>>>> >>>>> Configuration of service provider in secondary IS >>>>> ===================================== >>>>> Service Provider Name = firecrest_idp >>>>> Assertion Consumer URL = >>>>> https://automated-testing.firecrestclinical.com/commonauth >>>>> Enable Response Signing = true >>>>> Enable Assertion Signing = true >>>>> Enable Assertion Encryption = true >>>>> Enable Signature Validation in Authentication Requests and Logout >>>>> Requests = true >>>>> Enable Single Logout = true (no custom URL provided) >>>>> Enable Attribute Profile = true >>>>> Include Attributes = true >>>>> Enable Idp Initiated SSO/SLO = true >>>>> >>>>> Thanks, >>>>> //John. >>>>> >>>>> >>>>> On Sun, Nov 15, 2015 at 11:11 AM, Chamara Philips <chama...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi John Lee, >>>>>> >>>>>> I tried exactly the same way as yours with the IS 5.0.0 service pack. >>>>>> I don't get such an error. Can you please provide the configurations of >>>>>> the >>>>>> Identity Provider in the primary? Better if you can provide the log in >>>>>> the >>>>>> primary at the same-time. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> On Fri, Nov 13, 2015 at 9:41 PM, John Lee <jhn134...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I have a primary and secondary IS configuration same as >>>>>>> https://docs.wso2.com/display/IS500/Connecting+Two+Identity+Servers+with+SAML+SSO >>>>>>> . >>>>>>> I login via secondary IDP. Then I issue IDP initiated logout. A >>>>>>> logout request is then sent from the primary to the secondary, but then >>>>>>> the >>>>>>> secondary logs the following error: >>>>>>> >>>>>>> TID: [0] [IS] [2015-11-13 12:56:56,011] DEBUG >>>>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - >>>>>>> Query >>>>>>> string : >>>>>>> SAMLRequest=nZJfT8MgFMXf%2FRSE9279Y91G1k6TxaSJzsROH3yjFDqUQuWyZX57S%2Bfm9MEHXwhczj05%2FC7zxb5VaMctSKMzHI1CjLhmppa6yfDT%2BjaY4kV%2BMQfaqrgjd6YxW%2FfI37ccHFr2i9TUDa0b5zog4%2FGOKlkPtcAN981ISMuZ7Q9MSS0ZVSNm2rG3BDAYFcsMq7rrRKuaTjVC6uptI0TFuN6YttnU7FVWVSOp1G2vBtjyQoOj2mU4DqM0iKIgStZRTNIrkiSjy0n0gtHKuAf9YG%2BE4%2FanLiFh9K175BR8%2FrJPqjg6vBCj5yOS2CPpIWkgBwgZ3lpNDAUJRNOWA3GMlDf3d6SXks4aZ5hROD8wI0Nee%2B7wtwEF4Nbjw%2FmJGyrK%2Bfjc7mi%2B6tuLJbo1tqXub19fkXUgBinh2kn3gf8Vy481Tq8F8xs%2FymO2Q5r8%2BFlKDh5hoWu%2Bz0VazcI0ZMEsjKfBJetnUcUsCcSMT2pWx9NZGH75%2FOo8VX98vvwT&RelayState=fa32a09d-718b-4342-8eb0-11f6ba8a0074&SigAlg=http%3A%2F% >>>>>>> 2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=QwEOj%2BQoPXAJscKV9%2BEVcvR%2FqzGr7IPs%2FlTsMIIK8PP0mCDGOKgwVZ96zVv2jZtYyhjMIzVvQRx8x6kJG6RNtrnkbfakHtMJE6WuB8I9IX%2B6cGoJ47RBh79WxjN8EVjOpn9BX%2BGIXdK5ds8ZkP9KGQ80Nj3BfHxHlbhJ4QKSSOwtBrlZm7oPFQjpEuMHHHnLihaaQbSLrLk%2FdwfMHgfdqxayU9nJs31Ay1lT4fiIuCM2WDZc%2BBd4m0Lc8fdGgOYgEUoIby511pRck17Za6x%2B8x2bQgNLhilmcx >>>>>>> i5aEvZPx66FD799Fzxz3qIFOBr%2FDw%2Fieq3emGMWbx%2FQRLuAPfOSQ%3D%3D >>>>>>> {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} >>>>>>> >>>>>>> TID: [0] [IS] [2015-11-13 12:56:56,012] DEBUG >>>>>>> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message >>>>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>>>> <saml2p:LogoutRequest Destination= >>>>>>> "https://validation-testing.firecrestclinical.com/samlsso" >>>>>>> <https://validation-testing.firecrestclinical.com/samlsso> >>>>>>> ID="ldppfmlgplgfinbkhffbcenhomghdcjibbgiainm" >>>>>>> IssueInstant="2015-11-13T12:56:33.471Z" >>>>>>> NotOnOrAfter="2015-11-13T13:01:33.471Z" Reason="Single Logout" >>>>>>> Version="2.0" >>>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer >>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">firecrest >>>>>>> IS</saml2:Issuer><saml2:NameID >>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>> tes...@fctest.com</saml2:NameID><saml2p:SessionIndex>f5b9050c-9028-4c11-b2c3-f9e7dcd28900</saml2p:SessionIndex></saml2p:LogoutRequest> >>>>>>> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} >>>>>>> >>>>>>> TID: [0] [IS] [2015-11-13 12:58:43,668] ERROR >>>>>>> {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor} - >>>>>>> Session index value not found in the request >>>>>>> {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor} >>>>>>> >>>>>>> You can see the session index in the message so why does the >>>>>>> LogoutRequestProcessor say the session was not found in the request? >>>>>>> After downloading the source and attempting to debug I cannot find >>>>>>> the corresponding source code for the LogoutRequestProcessor log >>>>>>> message? >>>>>>> Do you have any ideas on this problem? >>>>>>> >>>>>>> Also worth mentioning that the when receiving the Logout request, >>>>>>> the SAML2 token Id is null when trying to read the cookie from request. >>>>>>> However, this cookie was in my browser when logging out? >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Hareendra Chamara Philips >>>>>> *Software Engineer* >>>>>> Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194> >>>>>> chama...@wso2.com <thili...@wso2.com> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Hareendra Chamara Philips >>>> *Software Engineer* >>>> Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194> >>>> chama...@wso2.com <thili...@wso2.com> >>>> >>>> >>> >>> >>> -- >>> Hareendra Chamara Philips >>> *Software Engineer* >>> Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194> >>> chama...@wso2.com <thili...@wso2.com> >>> >>> >> > -- Hareendra Chamara P h i l i p s *Software Engineer* Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194> chama...@wso2.com <thili...@wso2.com>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev