3 Replies Latest reply on Apr 10, 2012 1:45 AM by ryanfernandes

    Logout issue with ADFS 2.0 as the IDP

    ryanfernandes

      Picketlink 1.0.4 release

      App Server JBoss 5.1

      IDP : ADFS 2.0

       

      Scenario:

      1. User accesses a protected page.
      2. System throws up a login box
      3. User enters valid credentials and is able to use the application
      4. User clicks logoff (?LLO=true or ?GLO=true)

      The SP emits the following Logout request (via picketlink):

       

      <ns3:LogoutRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" ID="ID_f574759d-a66e-4ee9-9677-b5dec28b5f9f" IssueInstant="2011-09-16T12:00:31.276+05:30">

            <Issuer>https://ind-spz7lw70022.mastek.com:8443/employee/</Issuer>

        </ns3:LogoutRequest>

       

      Post which ADFS 2.0 promptly shows an error page with the following in the event log:

       

      Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:

       

      1. Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.

         at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)

         at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)

       

      Any idea why this doesn't work? Does the picketlink 1.0.4 release support logoff (with ADFS 2.0)?