Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
3rd part SAML2 Service Provider (SP) configured to authenticate against the Novell Access Manager Identity (IDP) server using an SP initiated AuthnRequest to the IDP server. The authentication works fine and the user can single sign on to the SP aftre processing the assertion returned by the IDP server.
The user then tried to logout of both the SP and IDP by sending a logout request to the IDP server at /nidp/app/logout. As soon as this happens, the browser displays the following error:
"Unable to complete logout request.
Cause/Code: Destination url validation failed-27E8DD9297755D6B"
The user then tried to logout of both the SP and IDP by sending a logout request to the IDP server at /nidp/app/logout. As soon as this happens, the browser displays the following error:
"Unable to complete logout request.
Cause/Code: Destination url validation failed-27E8DD9297755D6B"
Resolution
Have SAML SP generate the logout status response to the ResponseLocation URL.
When the SP logs out of the IDP server, the IDP server sends a LogoutRequest to the SP. The SP should respond to this with the status which it does. However, it is responding to the wrong destination ... it is responding to the 'location' URL defined in the metadata and NOT the 'ResponseLocation="https://rfsidm.novell.net/nidp/saml2/slo_return'.
// snippet of catalina.out file on IDP server when problem occurs
<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://rfsidm.novell.net/nidp/saml2/slo" ID="a22807ij8g70hgjb243f007118g18eh" IssueInstant="2010-02-19T15:23:27.632Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://rfseix.novell.net:443/eix</saml2:Issuer>
This is an issue with the SP - it must respond to the ResponseLocation URL using that as the destination. In our case, the destination is incorrect, doesn't match what the metadata binding has and we throw the above error.
When the SP logs out of the IDP server, the IDP server sends a LogoutRequest to the SP. The SP should respond to this with the status which it does. However, it is responding to the wrong destination ... it is responding to the 'location' URL defined in the metadata and NOT the 'ResponseLocation="https://rfsidm.novell.net/nidp/saml2/slo_return'.
// snippet of catalina.out file on IDP server when problem occurs
<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://rfsidm.novell.net/nidp/saml2/slo" ID="a22807ij8g70hgjb243f007118g18eh" IssueInstant="2010-02-19T15:23:27.632Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://rfseix.novell.net:443/eix</saml2:Issuer>
This is an issue with the SP - it must respond to the ResponseLocation URL using that as the destination. In our case, the destination is incorrect, doesn't match what the metadata binding has and we throw the above error.