3 Replies Latest reply: Apr 10, 2012 1:45 AM by Ryan Fernandes RSS

Logout issue with ADFS 2.0 as the IDP

Ryan Fernandes Newbie

Picketlink 1.0.4 release

App Server JBoss 5.1

IDP : ADFS 2.0

 

Scenario:

  1. User accesses a protected page.
  2. System throws up a login box
  3. User enters valid credentials and is able to use the application
  4. User clicks logoff (?LLO=true or ?GLO=true)

The SP emits the following Logout request (via picketlink):

 

<ns3:LogoutRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" ID="ID_f574759d-a66e-4ee9-9677-b5dec28b5f9f" IssueInstant="2011-09-16T12:00:31.276+05:30">

      <Issuer>https://ind-spz7lw70022.mastek.com:8443/employee/</Issuer>

  </ns3:LogoutRequest>

 

Post which ADFS 2.0 promptly shows an error page with the following in the event log:

 

Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:

 

  1. Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.

   at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)

   at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)

 

Any idea why this doesn't work? Does the picketlink 1.0.4 release support logoff (with ADFS 2.0)?