Sign Up ›
  • zT68vI
  • NEWBIE
  • 0 Points
  • Member since 2018
  • Chatter
    Feed
  • 0
    Best Answers
  • 2
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 1
    Replies
3 replies

Salesforce (as IdP) returns error response to every SAML Single Logout request. What's going on?

I'm having trouble getting Salesforce SAML single logout (SLO) working. I'm writing a web application that uses Salesforce as the SAML Identitiy Provider (IdP)

Every LogoutRequest I send gets a response with a StatusCode of "urn:oasis:names:tc:SAML:2.0:status:Responder", which according to the spec means that an error has occurred in Salesforce.

However, I can't find any other details about what might be wrong. There isn't anything in the "Identity Provider Event Log", and no other details in the LogoutResponse. Does anyone know how to debug this issue, or what might be wrong? I've included an example LogoutRequest and the LogoutResponse below:

Request: 
<samlp:LogoutRequest
        Destination="https://example.cs13.my.salesforce.com/services/auth/idp/saml2/logout"
        ID="EXAMPLE_ID"
        IssueInstant="2018-05-03T18:18:32Z"
        Version="2.0"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>
        http://subdomain.example.com
    </saml:Issuer>
    <saml:NameID>
        username@example.com
    </saml:NameID>
</samlp:LogoutRequest>

Response: 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      Destination="https://localhost/logout/callback"
                      ID="EXAMPLE_ID_2"
                      InResponseTo="EXAMPLE_ID"
                      IssueInstant="2018-05-03T13:59:57.627Z" Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        https://example.cs13.my.salesforce.com
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    </samlp:Status>
</samlp:LogoutResponse>

And here is a screen shot of my connected app settings:
screen shot of connected app settings
Any ideas about how to debug this? ​
0 replies

Can a SAML service provider request authentication for a specific user?

I'm using Salesforce as a SAML identity provider. I'd like my service provider to be able to request authentication for a specific user. Ideally, Salesforce would show its log in screen if the specified user is not already authenticated, and prepopulate the username field with the username specified in the authentication request. The SAML 2.0 spec seems to support this functionality with a Subject element in the AuthnRequest. I added the following snippet: 
<saml:Subject>
    <saml:NameID>
        user@example.com
    </saml:NameID>
</saml:Subject>

However, Salesforce Identity doesn't seem to respect that element. Does Salesforce support authenticating a specific user? If so, how?

Thanks for the help.
3 replies

Salesforce (as IdP) returns error response to every SAML Single Logout request. What's going on?

I'm having trouble getting Salesforce SAML single logout (SLO) working. I'm writing a web application that uses Salesforce as the SAML Identitiy Provider (IdP)

Every LogoutRequest I send gets a response with a StatusCode of "urn:oasis:names:tc:SAML:2.0:status:Responder", which according to the spec means that an error has occurred in Salesforce.

However, I can't find any other details about what might be wrong. There isn't anything in the "Identity Provider Event Log", and no other details in the LogoutResponse. Does anyone know how to debug this issue, or what might be wrong? I've included an example LogoutRequest and the LogoutResponse below:

Request: 
<samlp:LogoutRequest
        Destination="https://example.cs13.my.salesforce.com/services/auth/idp/saml2/logout"
        ID="EXAMPLE_ID"
        IssueInstant="2018-05-03T18:18:32Z"
        Version="2.0"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>
        http://subdomain.example.com
    </saml:Issuer>
    <saml:NameID>
        username@example.com
    </saml:NameID>
</samlp:LogoutRequest>

Response: 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      Destination="https://localhost/logout/callback"
                      ID="EXAMPLE_ID_2"
                      InResponseTo="EXAMPLE_ID"
                      IssueInstant="2018-05-03T13:59:57.627Z" Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        https://example.cs13.my.salesforce.com
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    </samlp:Status>
</samlp:LogoutResponse>

And here is a screen shot of my connected app settings:
screen shot of connected app settings
Any ideas about how to debug this? ​
3 replies

Salesforce (as IdP) returns error response to every SAML Single Logout request. What's going on?

I'm having trouble getting Salesforce SAML single logout (SLO) working. I'm writing a web application that uses Salesforce as the SAML Identitiy Provider (IdP)

Every LogoutRequest I send gets a response with a StatusCode of "urn:oasis:names:tc:SAML:2.0:status:Responder", which according to the spec means that an error has occurred in Salesforce.

However, I can't find any other details about what might be wrong. There isn't anything in the "Identity Provider Event Log", and no other details in the LogoutResponse. Does anyone know how to debug this issue, or what might be wrong? I've included an example LogoutRequest and the LogoutResponse below:

Request: 
<samlp:LogoutRequest
        Destination="https://example.cs13.my.salesforce.com/services/auth/idp/saml2/logout"
        ID="EXAMPLE_ID"
        IssueInstant="2018-05-03T18:18:32Z"
        Version="2.0"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>
        http://subdomain.example.com
    </saml:Issuer>
    <saml:NameID>
        username@example.com
    </saml:NameID>
</samlp:LogoutRequest>

Response: 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      Destination="https://localhost/logout/callback"
                      ID="EXAMPLE_ID_2"
                      InResponseTo="EXAMPLE_ID"
                      IssueInstant="2018-05-03T13:59:57.627Z" Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        https://example.cs13.my.salesforce.com
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    </samlp:Status>
</samlp:LogoutResponse>

And here is a screen shot of my connected app settings:
screen shot of connected app settings
Any ideas about how to debug this? ​