ComponentSpace

Forums



SLO - The request cannot be fulfilled because the message received does not meet the security...


SLO - The request cannot be fulfilled because the message received...

Author
Message
seanrco
seanrco
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 2, Visits: 8
Hi,

We are currently using component space on a Service Provider (SP) web application. The client Identity Provider (IdP) in this case is running Shibboleth. SSO is working fine, but when trying to request SLO getting the following error message response:


Web Login Service - Message Security Error
The request cannot be fulfilled because the message received does not meet the security requirements of the login service.


Currently have the saml config PartnerIdentityProviders configured as follows (renamed some entries for privacy):


<PartnerIdentityProviders>
<PartnerIdentityProvider
Name="idp_name"
SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
PartnerCertificateFile="_________.cer"
SingleLogoutServiceUrl="https://www.idp.domain/idp/profile/SAML2/POST/SLO"
SingleSignOnServiceUrl="https://www.idp.domain/idp/profile/SAML2/POST/SSO" />
</PartnerIdentityProviders>


I've attached the following logs for additional information:

-- Logout_Post = Post made by our SP to IdP SLO.
-- Logout_Response = Response back from IdP SLO.
-- slo-error = Shibboleth IdP log provided by client with responses.

Not sure what we should troubleshoot from here? Thanks in advance for the help!

EDIT: Removed original log attachments from topic after resolution for privacy.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Normally Shibboleth expects the logout messages to be signed. To do so, please add the following to your <PartnerIdentityProvider> configuration:

 SignLogoutRequest="true"
 SignLogoutResponse="true"

This also requires that you configure a local certificate/private key (eg PFX file) as part of your <ServiceProvider> configuration. The private key is used to sign the logout messages. Shibboleth will need to be configured with the certificate so it can verify the signatures.  

Regards
ComponentSpace Development
seanrco
seanrco
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 2, Visits: 8
ComponentSpace - 10/6/2020
Normally Shibboleth expects the logout messages to be signed. To do so, please add the following to your <PartnerIdentityProvider> configuration:

 SignLogoutRequest="true"
 SignLogoutResponse="true"

This also requires that you configure a local certificate/private key (eg PFX file) as part of your <ServiceProvider> configuration. The private key is used to sign the logout messages. Shibboleth will need to be configured with the certificate so it can verify the signatures.  

Adding SignLogoutRequest="true" & SignLogoutResponse="true" to our <PartnerIdentityProvider> configuration appears to have resolved the issue!  Local certificate/private key was already in place so did not have to worry about that. Thanks for the great support and assistance!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're very welcome. Thanks for the update.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search