Re: [Unity-idm-discuss] SLO failing in unity v2.8.2

[Krzysztof B. <kb...@un...>]

Hi Shiraz,

W dniu 06.11.2019 o 13:00, Shiraz Memon pisze:
> Hi Krzysztof,
>
> I have configured an SP, which is based on shibboleth. I can 
> successfully sign-in but unfortunately I cannot log-out (SLO). Below 
> are the SLO request and response messages from sp and unity 
> respectively, and also the SP configuration in unity.
> <?xml version="1.0"encoding="UTF-8"?>
> <samlp:LogoutRequest 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> Destination="https://unity.eudat-aai.fz-juelich.de/saml-idp/SLO-WEB" 
> ID="_56f68d31d948b0ccc241c0efe0697d36" 
> IssueInstant="2019-11-06T11:17:58Z" Version="2.0"><saml:Issuer 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.ggus.eu/EOSC-hub/secure</saml:Issuer><samlp:Extensions><aslo:Asynchronous 
> xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo" 
> /></samlp:Extensions><saml:EncryptedID 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData 
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" 
> Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><ds:KeyInfo 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod 
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" 
> /><xenc:CipherData><xenc:CipherValue>S/GMplTHJ2N0vbOVMhyUK8bBTNriupFbp12wwnvUmioEjx5xpBhYGYgEF5IQChVm66GdgIJ8czAk 
> RX1HbwqOGUktGocmR+Fcxq9wn5OSrQ4i/mj4kIF+aqlh8+bir2gua5XLd16DPn61CM3bUv2HWfNK 
> P0IAO3D77ezdJ+DR4jZ5wEfqZE3+OFplfMyzc2s7w4iswSs/cs/3fXJzkSFKGUP32P50izi4HxBg 
> eN7F7knsFHiD8P0b62btMOUQCHHG6LG9U7Esfjwe+uO88wJEmge295FQWRwJHvrbO8O7rEwnDu8+ 
> 1d1/Vnb0OT5lvM0E8sC/LYUKpO62DHjUvVI60BQ2/6NJPVsTjV4CEp77nQK7aR6dmJaVxlFJ2EZw 
> cD3s49RPazXpATvAPLrg/0t2lLFIB/Z5g8AX+5FqBn1vkqrYpKQoBdnTjO/j5LGYbs8q9s2/HlP9 
> 4Mf9iCW9YOCV1Q8KOLAvgLHJWKCVHNQQARTIHHN2ocX2jNWiWf0zaG/1sEW8KP6uOyoLpnTQ9YB6 
> I81yndVV+YXVWQYLk7wrUB2KPXVHCEshjmHzwJxhvWvIQYrvpBuLOLfAjShNpFsHyn/yCBBs5LdE 
> RlDAdcKkikAQO5MkJjcLSkY0Jh3C5PAJ+jPhjZ5Lv9z1+VuJabb9lpLCNAI8Lx0dYJ7LbExv8Gw=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>uwTdWX75kV+KaSwdLSY0miFxW7oaIEqIpUF9LTZgYEsgHzh6lQeJs0trR9CzTF6+b8/+j8mpCCkF 
> 6BsHJcikJRZySAo2THBfZlTk1FIcOXgOMW6U2k3loUSxr6JT1mXFXXCBkUeraP38JJ62Yg9GMGFd 
> DYKNtbTI2fuK6Z8TwBwK/lDeJ+atIOcnTT8AKBYXpo0Ni/s+0XivyecXPKdkYIRSh34u9nZ2DVr0 
> ENrgpmXR1X+hctYU7NeRgEFjQjCf</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedID><samlp:SessionIndex>SAMLY2lib_assert_fd9a89a3fa593431e7c87fc61266a55d5b3b64d8ea7f6bc3</samlp:SessionIndex></samlp:LogoutRequest>
>
> <?xml version="1.0" encoding="UTF-8"?><urn:LogoutResponse 
> xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol" 
> IssueInstant="2019-11-06T11:33:04.725Z" 
> ID="SAMLY2lib_msg_64b9f960635a040fc79f7707675d67b026020087543ab8f8" 
> Version="2.0" 
> InResponseTo="_4d31d3d8048d719329c6c5f43c35fb39"><urn1:Issuer 
> xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion" 
> Format="">https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata</urn1:Issuer><urn:Status><urn:StatusCode 
> Value="urn:oasis:names:tc:SAML:2.0:status:Requester" 
> /><urn:StatusMessage>Logged out entity name must be present in SLO 
> request and only NameID is 
> supported</urn:StatusMessage></urn:Status></urn:LogoutResponse>
>
Looks like some incompatibility on what is sent to Unity in logout 
request, as a subject to be logged out. I can't say more as the request 
is encrypted.

If you enable trace logging you should be able to see decrypted message 
in log, then we can say more. Looks like the subject (i.e. the one to be 
logged out) is provided in some of unsupported ways to unity. I suppose 
this was not working with older unity version too, right? And even if it 
was most likely the triggering is on the client side.

Best,
Krzysztof