Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lasso error on logout: [440] The profile cannot verify a signature on the message #50

Open
marcverney opened this issue Feb 17, 2021 · 0 comments
Open

Lasso error on logout: [440] The profile cannot verify a signature on the message #50

marcverney opened this issue Feb 17, 2021 · 0 comments

Comments

@marcverney
Copy link

marcverney commented Feb 17, 2021
edited
Loading

Hi,

I'm using Apache + Mellon as a reverse proxy (SP) in front of a web app. Everything works fine except logging out. When a user wants to logout, they send a GET request to https://10.236.90.134/sso/logout?ReturnTo=https%3A%2F%2Fwww.example.com%2Fblahblah%2F but they get a 400 Bad request response with the following error:

Unable to process logout response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"

The users are actually logged out, this does work. However they get an error page on screen instead of a redirect to the ReturnTo url.

Versions:

  • one Docker container with Ubuntu 20.04, Apache 2.4 and liblasso3 2.6.0
  • another container with SimpleSamlPhp IDP 1.15

IDP metadata

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://10.236.90.134:8123/simplesaml/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.236.90.134:8123/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.236.90.134:8123/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

SP metadata

<EntityDescriptor entityID="https://10.236.90.134" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICtzCCAZ8CFEUtASYLIccb5sAB93TDjxfzgRgwMA0GCSqGSIb3DQEBCwUAMBgx
FjAUBgNVBAMMDTEwLjIzNi45MC4xMzQwHhcNMjEwMjE2MjI0MTA4WhcNMzEwMjE2
MjI0MTA4WjAYMRYwFAYDVQQDDA0xMC4yMzYuOTAuMTM0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqrQWOmHNK0eR1s5UrBHMUYTEcKF4eZFv/duJx9I0
d7DOpOPfuurMM0xP9RqPdjlQUUshbrRj6aCdfI3WSqG11slTr1J5tPzE6TizqfwX
K3AhRPBYPEfHFdeRPXSInfL41dSXvnT6qqZRKdBUxgMPgW3SN3eZycltFnByevCb
DhxLn9gt3WyOKmgZqItH9gnl3r5H8UAALXOyFj6kvfZTktEwDyGqKoZ1Dobk3fEf
RbgzLTz4yDI+A/o1LyVSR3BJ+nIDTxDFFlAT+H4/nBvdV1InerE00HqV8kDPog1i
C8pv9aX/nqVGTDMbcfravfhKnPSa48m2DTj/JR9NNZu9kwIDAQABMA0GCSqGSIb3
DQEBCwUAA4IBAQBJ9kR0ix6vWgGsXJE/QzQcJPZsXYao6N40K1P/I+N0+LF8jqEx
cpdHddc8XMrMaqY7G/mNqLSneIz81ly2/BTq0n0YgVX+lVTEnB+bZ1nassjDZktJ
BCfHEKRVEgQzA+FMzqfUgBx80I1LWJXx78J4m1CKOq8IOJ2k1/b3jKJzuBkxaJr4
uV3N48e9y+p3ydvZocOlOSX9GHkfzNm6fkFpQKNE8eqRYukXh5YCLsyCxV8goIF8
tfq8IqJFH8Y90nMmoPr0E5JaZfuM3FDiYhzcKYh63TPUjEdbTUHv//TuTqKTYdcV
ljKRgBy0i4+ytEoB+ktWt3ZZjbbVPIOOOzmR</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.236.90.134/sso/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.236.90.134/sso/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

Mellon configuration

    <Location />
        Require                valid-user
        MellonEnable           auth
        MellonEndpointPath     /sso
        MellonIdPMetadataFile  /etc/apache2/mellon/idp-metadata.xml
        MellonSPMetadataFile   /etc/apache2/mellon/sp-metadata.xml
        MellonSPCertFile       /etc/apache2/mellon/sp-certificate.cert
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp-private-key.key
        MellonRedirectDomains  [self] www.example.com
    </Location>

Logout request XML

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="_7378E171F2A71FB7AEB2FAF3764C6E35"
                     Version="2.0"
                     IssueInstant="2021-02-17T08:53:57Z"
                     Destination="http://10.236.90.134:8123/simplesaml/saml2/idp/SingleLogoutService.php"
                     >
    <saml:Issuer>https://10.236.90.134</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                 SPNameQualifier="https://10.236.90.134"
                 >_03c98b70c14a9ba9e88f42dc1d359a97f09c55ff5b</saml:NameID>
    <samlp:SessionIndex>_59f7f23c30d907331f2a2b6ddb2b5f70d08bb78c6e</samlp:SessionIndex>
</samlp:LogoutRequest>

Logout response XML

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      ID="_1ac897f9735bbfc50558d28358c67533dee94e951b"
                      Version="2.0"
                      IssueInstant="2021-02-17T08:53:57Z"
                      Destination="https://10.236.90.134/sso/logout"
                      InResponseTo="_7378E171F2A71FB7AEB2FAF3764C6E35"
                      >
    <saml:Issuer>http://10.236.90.134:8123/simplesaml/saml2/idp/metadata.php</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marcverney