Centrify & Azure as IDP does not return LogoutResponse on Single Log Out

Question

I'm trying to connect a SAML capable App as SP to Mircrosoft Azure and Centrify as IDP. SSO (Single Sign On) works as it should but i have some problems to accomplish a complete Single Logout Process.

When the user clicks on the logout button inside of the SP a (valid) logout request is sent to the IDP. The IDP session is terminated as expected but the browser is not redirected to the SP to complete the logout process. It seems as the LogoutResponse is completely missing.

---

UPDATE regarding Centrify
As Nick Gamb from Centrify stated (see his answer below) at this moment Centrify does not support this feature but will implement it in the future.

---

---

UPDATE regarding Azure
You have to provide a 'wreply' parameter - containing the url_ecoded URL of the site the user should be redirected to after logout - with the logout request: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0&wreply=https%3A%2F%2Fmyapp.landingpage.com%2F&SAMLRequest=...

If you are using the Onelogin PHP Toolkit, then you also have to enable the 'retrieveParametersFromServer'-Setting, otherwise the logout response will always end up with a 'Signature validation failed. Logout Request rejected' error.

---

Following the SAML requests/responses (i have allowed myself to strip out the certificate information ...):

Centrify // Login Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="ONELOGIN_17b5cbaaa30c8a9edca9935a320b0de3a4088fcc"
                Version="2.0"
                ProviderName="MYAPP"
                IssueInstant="2017-01-27T12:08:52Z"
                Destination="https://aap1234.my.centrify.com/applogin/appKey/1234567-1234-1234-1234-123456789/customerId/ABC0123"
                ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                AssertionConsumerServiceURL="https://myapp.com/acs"
                >
<saml:Issuer>https://myapp.com/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                    AllowCreate="true"
                    />
<samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

Centrify // Login Response

<saml2p:Response ID="_7367bcc4-f4a1-4bf0-b845-ecaf0e7d6b86"
             InResponseTo="ONELOGIN_17b5cbaaa30c8a9edca9935a320b0de3a4088fcc"
             Version="2.0"
             IssueInstant="2017-01-27T12:08:53.978Z"
             Destination="https://myapp.com/acs"
             xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
             >
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://aap1234.my.centrify.com/1234567-1234-1234-1234-123456789</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <Reference URI="#_7367bcc4-f4a1-4bf0-b845-ecaf0e7d6b86">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>EpN1bP9vKhLUUpyr0Hfnb3lM6gA=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>...</SignatureValue>
    <KeyInfo>
        <X509Data>
            <X509Certificate>...</X509Certificate>
        </X509Data>
    </KeyInfo>
</Signature>
<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<Assertion Version="2.0"
           ID="_71ccde7d-6a7b-4b79-a6ed-1f8465b7a835"
           IssueInstant="2017-01-27T12:08:53.869Z"
           xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
           >
    <Issuer>https://aap1234.my.centrify.com/1234567-1234-1234-1234-123456789</Issuer>
    <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">[email protected]</NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData NotOnOrAfter="2017-01-27T13:08:53.869Z"
                                     Recipient="https://myapp.com/acs"
                                     InResponseTo="ONELOGIN_17b5cbaaa30c8a9edca9935a320b0de3a4088fcc"
                                     />
        </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-01-27T12:05:53.869Z"
                NotOnOrAfter="2017-01-27T13:08:53.869Z"
                >
        <AudienceRestriction>
            <Audience>https://myapp.com/metadata</Audience>
        </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2017-01-27T12:08:53.869Z"
                    SessionIndex="_71ccde7d-6a7b-4b79-a6ed-1f8465b7a835"
                    >
        <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthnContextClassRef>
        </AuthnContext>
    </AuthnStatement>
    <AttributeStatement>
        <Attribute Name="firstname"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                   >
            <AttributeValue>Firstname</AttributeValue>
        </Attribute>
        <Attribute Name="lastname"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                   >
            <AttributeValue>Lastname</AttributeValue>
        </Attribute>
        <Attribute Name="emailaddress"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                   >
            <AttributeValue>[email protected]</AttributeValue>
        </Attribute>
        <Attribute Name="groups"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                   >
            <AttributeValue>group1,group2</AttributeValue>
        </Attribute>
    </AttributeStatement>
</Assertion>

Centrify // Logout Request

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="ONELOGIN_dc16bcf1e9a5de948d336fbca93d4a5718b56f3d"
                 Version="2.0"
                 IssueInstant="2017-01-27T12:10:12Z"
                 Destination="https://aap1234.my.centrify.com/applogout"
                 >
<saml:Issuer>https://myapp.com/metadata</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<samlp:SessionIndex>_71ccde7d-6a7b-4b79-a6ed-1f8465b7a835</samlp:SessionIndex>

Microsoft Azure // Login Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="ONELOGIN_40becfa9c4dc2697c9778b7b598399fbc55cef98"
                Version="2.0"
                ProviderName="MYAPP"
                IssueInstant="2017-01-27T12:31:26Z"
                Destination="https://login.microsoftonline.com/1234567-1234-1234-1234-123456789/saml2"
                ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                AssertionConsumerServiceURL="https://myapp.com/acs"
                >
<saml:Issuer>https://myapp.com/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                    AllowCreate="true"
                    />
<samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

Microsoft Azure // Login Response

<samlp:Response ID="_4221c6ce-51b5-48df-b33e-5c601bbc22ad"
            Version="2.0"
            IssueInstant="2017-01-27T12:31:27.170Z"
            Destination="https://myapp.com/acs"
            InResponseTo="ONELOGIN_40becfa9c4dc2697c9778b7b598399fbc55cef98"
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            >
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/1234567-1234-1234-1234-123456789/</Issuer>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_ad52e38a-5f8f-4a60-9b3b-d904afd9b82e"
           IssueInstant="2017-01-27T12:31:27.170Z"
           Version="2.0"
           xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
           >
    <Issuer>https://sts.windows.net/1234567-1234-1234-1234-123456789/</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_ad52e38a-5f8f-4a60-9b3b-d904afd9b82e">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>mv1wKPg7iHLzZ5cNnu8oYX0/YvZqGsxKHsUc0umZVYw=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>...</X509Certificate>
            </X509Data>
        </KeyInfo>
    </ds:Signature>
    <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jMPrg5XmAUzfnoCKSAXJGJMDZ8Hdj_bRU2YY6-Ozugg</NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="ONELOGIN_40becfa9c4dc2697c9778b7b598399fbc55cef98"
                                     NotOnOrAfter="2017-01-27T12:36:27.170Z"
                                     Recipient="https://myapp.com/acs"
                                     />
        </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-01-27T12:26:27.154Z"
                NotOnOrAfter="2017-01-27T13:26:27.154Z"
                >
        <AudienceRestriction>
            <Audience>https://myapp.com/metadata</Audience>
        </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
            <AttributeValue>1234567-1234-1234-1234-123456789</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
            <AttributeValue>12345-123-123-1234-12345678</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
            <AttributeValue>live.com</AttributeValue>
        </Attribute>
        <Attribute Name="firstname">
            <AttributeValue>Firstname</AttributeValue>
        </Attribute>
        <Attribute Name="lastname">
            <AttributeValue>Lastname</AttributeValue>
        </Attribute>
        <Attribute Name="emailaddress">
            <AttributeValue>[email protected]</AttributeValue>
        </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2017-01-27T11:09:28.000Z"
                    SessionIndex="_ad52e38a-5f8f-4a60-9b3b-d904afd9b82e"
                    >
        <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
        </AuthnContext>
    </AuthnStatement>
</Assertion>

Microsoft Azure // Logout Request

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="ONELOGIN_a90edfe3da4eb07dd1e2a52df7d4cb5385cbd6c8"
                 Version="2.0"
                 IssueInstant="2017-01-27T12:32:05Z"
                 Destination="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"
                 >
<saml:Issuer>https://myapp.com/metadata</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jMPrg5XmAUzfnoCKSAXJGJMDZ8Hdj_bRU2YY6-Ozugg</saml:NameID>
<samlp:SessionIndex>_ad52e38a-5f8f-4a60-9b3b-d904afd9b82e</samlp:SessionIndex>

The signout request is sent with additional GET parameters: RelayState <= pointing to the Single Logout URL of the SP wa <= set to „wsignout1.0“

I tested the SP configuration against a third IDP (Onelogin) and here the SP initiated logout works as expected. The user is logged out of the IDP session and then redirected with a LogoutResponse to the SP. The only difference here is that i'm able to set the SP Logout URL explicitly in the Onelogin App configuration.

Is there any option to define the SP logout url inside Azure or Centrify? Am i missing anything?

Thanks!

Answer 1

As already mentioned in my updated question:

If you are using Centrify

As Nick Gamb from Centrify stated (see his answer above) at this moment Centrify does not support this feature but will implement it in the future.

If you are using Microsoft Azure

You have to provide a 'wreply' parameter - containing the url_ecoded URL of the site the user should be redirected to after logout - with the logout request: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0&wreply=https%3A%2F%2Fmyapp.landingpage.com%2F&SAMLRequest=...

If you are using the Onelogin PHP Toolkit, then you also have to enable the 'retrieveParametersFromServer'-Setting, otherwise the logout response will always end up with a 'Signature validation failed. Logout Request rejected' error.

Answer 2

Thank you for submitting your question. This has been a common question as of late. The short answer is that Centrify does not support SAML single sign out at this time. The logout URL from the SAML app in Centrify is simply a logout request to the IDP. The user is always just redirected to the Centrify login page after. There is no SAML support in it thus no response.

The good news is that this feature is currently being addressed and should be released in a future build of the product to full SAML spec. Until that time, I have a possible solution for you to consider.

If you have the ability to modify your web application, specifically how it makes the logout call, you can set the logic up to make the logout call to the logout URL as an API call rather than a redirect. You will need to make the call to the logout URL from the sites Javascript so that the users session cookie is passed in the API call, as apposed to making it from server code. In doing this, you log the user out of Centrify but then you can redirect them to any page that you wish them to end up on (i.e. your web applications sign in page). The call does not require any JSON. Simply have a web request make the call to the logout url and then redirect the user to your login page.

Please feel free to follow up with me at [email protected] and I will be happy to assist you further. I am also happy to have a call to discuss this in more detail.

Thank you,

Nick Gamb Developer Advocate Centrify