Home/ Questions/Q 6848475
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T00:52:22+00:00

My aim is to implement the Single Log Out Protocol. First I am understanding

  • 0

My aim is to implement the Single Log Out Protocol. First I am understanding how the standar works and how I can fit it in my scenario: ADFS 2.0 as IdP, for me is like a “black box”

What I am doing at the moment is the next:

  1. Send an <AuthnRequest> to my IdP

  2. IdP asks me for credentials, I provide them and get succesfully login.

  3. Get the SessionIndex value form the and constructs a <LogoutRequest>

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_135ad2fd-b275-4428-b5d6-3ac3361c3a7f" Version="2.0" Destination="https://idphost/adfs/ls/" IssueInstant="2008-06-03T12:59:57Z"><saml:Issuer>myhost</saml:Issuer><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idphost/adfs/ls/">myemail@mydomain.com</NameID<samlp:SessionIndex>_0628125f-7f95-42cc-ad8e-fde86ae90bbe</samlp:SessionIndex></samlp:LogoutRequest>

  1. Take the above <LogoutRequest> and encode it in Base64

  2. Contructs the next string: SAMLRequest=base64encodedRequest&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1

  3. With the above string generates the signature

  4. Encode the signature in base64

  5. Send the request: https://"https://idphost/adfs/ls/?SAMLRequest=base64encodedRequest&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=base64EncodedSignature

But the IdP is answering me: The verification of the SAML message signature failed.

For signing I am using my private key (2048 bytes), and for verifying it is supposed that the IdP is using my public key (the one that I sent it when I registered my host)

The code for signing the request looks like:

// Retrieve the private key
KeyStore keyStore = KeyStore.getInstance("JKS", "SUN");
FileInputStream stream;
stream = new FileInputStream("/path/to/my/keystore.jks");
keyStore.load(stream, "storepass".toCharArray());
PrivateKey key = (PrivateKey) keyStore.getKey("keyAlias","keyPass".toCharArray());

// Create the signature
Signature signature = Signature.getInstance("SHA1withRSA");
signature.initSign(key);
signature.update("SAMLRequest=jVJda8IwFH2e4H8ofW%2BbVmvboGWCDApusDn2sBdJm1sNtEmXmw7x1y92KDrY2Ov5uueEzJG1TUfXaqd68wIfPaBxDm0jkQ7Mwu21pIqhQCpZC0hNRTfLxzWNfEI7rYyqVONeWf52METQRijpOsVq4W7JoSzjJJnWAEAmwLMMpmRG0jCrYJICIcR13kCjdSxcG%2BA6K9tQSGYGZG9MhzQIGrUT0uPw6VegpV%2FtA8ZrDBq0ZxB7KCQaJo2NICT1yMwjk9cwonFG4%2BTdzceju%2FmpOx3EOu8qYThgGJ3j5sE1fZE%2F2X3FynlQumXm9%2BGhHw6I4F49SCm0TDRLzjWgrXiKee5ZI2oB%2Bj%2Bj8qYX6GvFtdj1cPRryzPJ4Xh%2F2%2Fe736VvRzf2nn24wmoP%2BZbMojSM4tpL6iz2plFVeYyn4NUc0hmDjJQlfCf9cI5HZ%2Fjm4%2BRf&RelayState=null&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1".getBytes());

String signatureBase64encodedString = (new BASE64Encoder()).encodeBuffer(signature.sign());
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Finally I got the right recipe:

    1. Generate the SAMLRequest value
    2. Encode the SAMLRequest value in Base64
    3. URL-encode the SAMLRequest value
    4. URL-encode the SigAlg value:
      http://www.w3.org/2000/09/xmldsig#rsa-sha1
    5. Feed the algorithm signature (SHA1withRSA) with the
      SAMLRequest=value&SigAlg=value
    6. URL-encode the generated signature

    We can perform the steps 2 and 3 with the SAML 2.0 Debugger
    (https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php). And for
    the URL-encoding use the classic w3schools
    (http://www.w3schools.com/tags/ref_urlencode.asp)

    Warning! Ensure that the algorithm for your relying party, in the ADFS2, is setup to SHA1!

    Best regards,

    Luis

    ps: now I have to code a little bit…

    pps: You can find the code here: https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo

    • 0