"Destination url validation failed" error logging out of SAML Service Provider

  • 7005400
  • 26-Feb-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server

Situation

3rd part SAML2 Service Provider (SP) configured to authenticate against the Novell Access Manager Identity (IDP) server using an SP initiated AuthnRequest to the IDP server. The authentication works fine and the user can single sign on to the SP aftre processing the assertion returned by the IDP server.

The user then tried to logout of both the SP and IDP by sending a logout request to the IDP server at /nidp/app/logout. As soon as this happens, the browser displays the following error:

"Unable to complete logout request.
Cause/Code: Destination url validation failed-27E8DD9297755D6B"


Resolution

Have SAML SP generate the logout status response to the ResponseLocation URL.

When the SP logs out of the IDP server, the IDP server sends a LogoutRequest to the SP. The SP should respond to this with the status which it does. However, it is responding to the wrong destination ... it is responding to the 'location' URL defined in the metadata and NOT the 'ResponseLocation="https://rfsidm.novell.net/nidp/saml2/slo_return'.

// snippet of catalina.out file on IDP server when problem occurs

<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://rfsidm.novell.net/nidp/saml2/slo"  ID="a22807ij8g70hgjb243f007118g18eh" IssueInstant="2010-02-19T15:23:27.632Z"  Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://rfseix.novell.net:443/eix</saml2:Issuer>

This is an issue with the SP - it must respond to the ResponseLocation URL using that as the destination. In our case, the destination is incorrect, doesn't match what the metadata binding has and we throw the above error.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.