SP发起的SLO生成多个SLO请求

Question

我正在使用sustainsys saml2 owin软件包，但是SP发起的SLO出现了问题。我是saml流程的新手，所以很有可能我做错了事。

我们的退出工作流程如下：

1. 用户点击了myapp.com/signout
2. myapp重定向到myapp.com/saml2/logout
3. owin软件包生成一个saml请求并将其发送到Idp的slo路由
4. Idp以成功的saml响应来响应相同的URL：myapp.com/saml2/logout
5. 这时，owin软件包正在生成另一个saml请求，以将用户从idp中注销。如果Idp不停止进程，它将陷入无限重定向中。

这是我的Chrome网络面板的快照：

我使用https://github.com/mcguinness/saml-idp作为开发IDp，这是我的owin配置的存根：

我怀疑我配置不当，或者使用了不正确的saml2 /登出路径，但是我感到奇怪的是，owin程序包在成功获得响应后会生成另一个请求。

更新11.9.2018

这是我从注销过程开始的详细日志：

Expanded Saml2Url
  AssertionConsumerServiceUrl: http://locala.foliotek.com/saml2/linuxdev/Acs
  SignInUrl: http://locala.foliotek.com/saml2/linuxdev/SignIn
  LogoutUrl: http://locala.foliotek.com/saml2/linuxdev/Logout
  ApplicationUrl: http://locala.foliotek.com/
=================
Initiating logout, checking requirements for federated logout
  Issuer of LogoutNameIdentifier claim (should be Idp entity id): http://myidentityprovider.com
  Issuer is a known Idp: True
  Session index claim (should have a value): http://Sustainsys.se/Saml2/SessionIndex: 1926000282
  Idp has SingleLogoutServiceUrl: http://myidentityprovider.com/saml/slo
  There is a signingCertificate in SPOptions: True
  Idp configured to DisableOutboundLogoutRequests (should be false): False
=================
Expanded Saml2Url
  AssertionConsumerServiceUrl: http://myserviceprovider.com/saml2/linuxdev/Acs
  SignInUrl: http://myserviceprovider.com/saml2/linuxdev/SignIn
  LogoutUrl: http://myserviceprovider.com/saml2/linuxdev/Logout
  ApplicationUrl: http://myserviceprovider.com/
=================
Initiating logout, checking requirements for federated logout
  Issuer of LogoutNameIdentifier claim (should be Idp entity id): http://myidentityprovider.com
  Issuer is a known Idp: True
  Session index claim (should have a value): http://Sustainsys.se/Saml2/SessionIndex: 1926000282
  Idp has SingleLogoutServiceUrl: http://myidentityprovider.com/saml/slo
  There is a signingCertificate in SPOptions: True
  Idp configured to DisableOutboundLogoutRequests (should be false): False
=================
Expanded Saml2Url
  AssertionConsumerServiceUrl: http://myserviceprovider.com/saml2/samltestid/Acs
  SignInUrl: http://myserviceprovider.com/saml2/samltestid/SignIn
  LogoutUrl: http://myserviceprovider.com/saml2/samltestid/Logout
  ApplicationUrl: http://myserviceprovider.com/
=================
Initiating logout, checking requirements for federated logout
  Issuer of LogoutNameIdentifier claim (should be Idp entity id): http://myidentityprovider.com
  Issuer is a known Idp: False
  Session index claim (should have a value): http://Sustainsys.se/Saml2/SessionIndex: 1926000282
  Idp has SingleLogoutServiceUrl: 
  There is a signingCertificate in SPOptions: True
  Idp configured to DisableOutboundLogoutRequests (should be false): 
=================
Expanded Saml2Url
  AssertionConsumerServiceUrl: http://myserviceprovider.com/saml2/linuxdev/Acs
  SignInUrl: http://myserviceprovider.com/saml2/linuxdev/SignIn
  LogoutUrl: http://myserviceprovider.com/saml2/linuxdev/Logout
  ApplicationUrl: http://myserviceprovider.com/
=================
Http POST binding extracted message
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_d02d42fbb8ed00bbee02" InResponseTo="idf75b17a7713e4f698f891edf1fcca117" Version="2.0" IssueInstant="2018-11-09T16:44:01Z" Destination="http://myserviceprovider.com/saml2/linuxdev/logout"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://myidentityprovider.com</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_d02d42fbb8ed00bbee02"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>X+93fiv6vuuy8sIhmFFxIVxNgAy/f1Zk62RRh/rn91I=</DigestValue></Reference></SignedInfo><SignatureValue>qXMlLe2fciQR6u7Ddx40RFI51IJ5r8A3m7X7mrgIMHBdFf2vypiCFxqOrEOKCSIqWzDUxVXujWyMQzO/zZtVyZlm6xXnb3lId0VDHLEIUT/8kyNsodzvzPIyTMaMMV/cmhQ3UZlYRv9BeyPswpkosFTn/xc6c+BX9z+w4AN4KDMFfYlTeu/uyDBa1u5zr/Ze6OXwP7///Mo/zdy2ZXyHJhia+yscWZ+Hrb49ekI9csJvuic0p6ttJPjS72tmEesGR1vLT0Y/5T+SqOVmmbmN8hZygRxrEwgfo9oNI+8BBC7aYK2PCtTZZFwoO3KsEEttQjxzKTbzja9s8XslGxfKkw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDgzCCAmugAwIBAgIJALOc35pt94LuMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNaXNzb3VyaTERMA8GA1UEBwwIQ29sdW1iaWExFTATBgNVBAoMDEZvbGlvdGVrIEluYzEMMAoGA1UEAwwDSWRwMB4XDTE4MTEwOTE1MDI0MVoXDTM4MTEwNDE1MDI0MVowWDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1pc3NvdXJpMREwDwYDVQQHDAhDb2x1bWJpYTEVMBMGA1UECgwMRm9saW90ZWsgSW5jMQwwCgYDVQQDDANJZHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhX8PX+C/1orPpFnOIRy7UkrLU7YCq6DNzB5QSUzT366++ZCWFzx+Ub+HFxbR/htY/EAramlCNFawOSGS6mnWev/tiokGObXdMK6tAXyZZMc/u9Rg65EjM892Oep6gIEWgjnE+l7M8v84QOWqAl+GaeM8YZJKHXAZ+7MVMgkMWeYKrksvQdKrQjhyzqoLmBNL5yGBgEH1KEtFy0A0qYdiwdWptvaeWkTk6tp3kfminRaQ1bj/BmMwAWeDbE7EFkk7wF1ig4QhTINoVFQhPGa/+sPg+NuDNlGszDBV3fmfpHwPpjRr4zzoNyJnMvf3u1+C63c7DPSC+uKGvYlgeWbc/AgMBAAGjUDBOMB0GA1UdDgQWBBQvczxcOnaazyGJ8H3vi1vY6g24xDAfBgNVHSMEGDAWgBQvczxcOnaazyGJ8H3vi1vY6g24xDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAoMsoDnrEPCS+VIqVlnlbxxd4lx5AYMvUTZPugJ88+Jjp/1kkKbxWzbJBR1yl0v9quLoQ/u5XkYoSI3u/azydywpADlgsKHrL7Ger+ZU2pdSCK9LTbOP3gnginmPldB7LW6jxWxuEYadWLpYocEFU6Ua7XJUDOzMpO3SXxmhiyhvQC2PF0Q1uehNkwIpUP+9I9ulAXxjScyputgYjkWjiLYu+gcWYW6DmeWqJKyYR6XSwaa+QV4/UPupBmSc1Bx7BuF29+1RwJyTEI6Uz5wQe+lbzZ5ay3J3oa3lilwYg/HYq4mQzVucHEhQLsU9ZIfuGStMHX23sdzWuEBbcQgCCd</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>
=================

这是我注销过程中的信息日志

Sending logout request to http://myidentityprovider.com
=================
Sending logout request to http://myidentityprovider.com
=================
Federated logout not possible, redirecting to post-logout and clearing local session
=================
Received logout response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id, redirecting to http://myidentityprovider.com/saml/slo?SAMLRequest=fZJdS8MwFIbvB%2FsPJbeyNv3Y1oatOBhCYXrhxAvvYpKu0XzUnlT2803rJpugkJvz8bznPYesgGqVtGRnD7Z3j%2BKjF%2BCCo1YGyHdpjfrOEEtBAjFUCyCOkf3mfkeSEJO2s84yq9Al8z9CAUTnpDUoqLZrJHmRFuw1LnKcUpYt2JImC1rXOc94yuZpnaHgWXTggTXyvKcAelEZcNQ4n8JxPovjGS6e4gXJUjLPX1Cw9WtIQ91INc61JIpqq6R%2Fpj9y8RmOkRPvIbOaLPESR4P3CJRF5XQSBKtxFTIO68qThLKMKnrFjlgSnXVX0RV3ofTgL1Ftgzvbaer%2BPlEcxmNG8lk9thKhqVQbzjsBgErXCN4Py4GWrrlxjdUU3m4PQ9Pg52zge9yFgZbsvYA%2FSGW4OJZxkSwwxkmenIhf9enkJ3%2F1Ocov&RelayState=MnZ2DPYtc9cY8CkEaR5CRJDz&SigAlg=http:%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=LS0QmYpXX2utWqmEKQJmMeQukm%2FFFVUZCP8I0C7sIt1LklVK0NzuqrJgG9VGwO6uPBZObpZ%2FU9%2BZVddCoIGmg3FCKrhhW7hspsQNN%2FGqpf0QY3kxW%2Bt956TqgynW0yM4I9%2Fc7X%2F9Sy4keFu1uxihjemm%2BCNlZdRS71ch4SyG4YStmKZrWJns1T6H4m8d2eBK7O2KVn9iqwIh6OaV5S6obhpMH9gzx5Y01uc5fTm2gfdoExuVNsKbZB8ycois1MEEz7Uox5zRm09gEfCNMHKf2Dp%2Fwd7GmQoK84VvPoNrxl5047WxfKxkhQPTRFbM5h50peFjOlnFN0yKw9C3DARSBw%3D%3D
=================

深入研究代码后，我发现是否执行以下操作：

GetLogoutResponseState = (req) => { return null; }

...在我的Saml2AuthenticationOptions.Notifications中，它可以正常工作。

从这里，我仍然怀疑我在配置某些错误，或者IDP发送了错误的数据，但是我不知道StoredRequestState的初始化位置。看来它包含了错误的returnUrl。

Answer 1

看看日志，我认为这是事件的顺序。

1. 您的应用程序上的注销被命中，并重定向到Saml2库中的注销端点。
2. 命中注销端点，并向Idp发起注销请求。
3. Idp呈现一个页面（可能包含某种SAML响应-但可能不正确）。
4. 再次单击注销端点，这是错误的
   • 这是重复的请求。
   • 或者这是Sustainsys.Saml2库无法正确检测到的响应

让我真正困惑的是，在第二次运行中，满足了联合注销的所有要求。具体来说，它确实找到了LogoutNameIdentifier。这应该是不可能的，因为通常会在重定向到Idp时清除本地会话cookie。

要进一步了解正在发生的事情，建议您下载Sustainsy.Saml2源代码，直接链接到项目并在LogoutCommand.Run处设置断点。这样可以帮助您更好地理解并能够进一步检查请求。

Answer 2

我一直将问题归结为LogoutCommand.Run在对/saml2/logout的初始GET请求期间被两次调用。一次来自Saml2AuthenticationHandler .ApplyResponseGrantAsync方法，一次来自Saml2AuthenticationHandler.InvokeAsync。

解决方案是在我的Compatibility = new Compatibility { StrictOwinAuthenticationMode = true }中设置SPOptions。这样会阻止LogoutCommand在ApplyResponseGrantAsync方法中执行。

我不清楚被动认证模式还是主动认证模式，但是我的猜测是我要向Sustainsys程序包指示我正在手动控制认证（包括注销）。也许安德斯可以解决这个问题？