Question

When sending SAML LogoutRequest to ADFS IdP I am getting on ADFS side error :

Microsoft.IdentityServer.Web.RequestFailedException: MSIS7054: The SAML logout did not complete properly. at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SamlLogout()

Message is according with SAML standards and it is signed.

What I have to look for ?

Was it helpful?

Solution

I have finally get more detail log from our partner. The problem was the missing certificate in signing tab of the our RelayParty on pratners ADFS server. Also the problem could be missing permissions for private key of the mentioned certificate for ADFS IIS running process (that is most probably NETWORK SERVICE). SLO is working now properly.

The Federation Service encountered an error while processing the SAML authentication request.

Additional Data

Exception details:

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

(

IsReadOnly = False,

Count = 1,

Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause

)

'. Ensure that the SecurityTokenResolver is populated with the required key.

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)

at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)

at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)

at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)

at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Logout(LogoutRequest logoutRequest)

at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top