?wa=wsignoutcleanup1.0 在 SSO sp 发起的流程中有什么意义

Question

I am Using SAML 2.0 in the SSO SP initiated flow. I have configured logout url as "https://{DNS_name}/adfs/ls/" and i am getting the below error.

Error:- System.Xml.XmlException: MSIS0006: A required attribute is not present: ID.

Note:- I am not getting this error if i configure logout URL as "https://{DNS_name}/adfs/ls?wa=wsignoutcleanup1.0" .

Que :- Why am i getting ID related errors if not configuring cleanup part(?wa=wsignoutcleanup1.0). i am not getting the significance of cleanup part in the logout URL.

I have read that "The wsignoutcleanup1.0 message is an instruction to relying parties to delete the cached session state for the specified user."

Complete Error:- Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details: System.Xml.XmlException: MSIS0006: A required attribute is not present: ID. at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message) at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader) at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context) at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage) at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection) at Microsoft.IdentityServer.Protocols.Saml.HttpPostSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form) at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Answer 1

You get an error because you're outside of spec. The ?wa parameter defines the action that you want to happen, ie "This REQUIRED parameter specifies the action to be performed." ( Source ).

It's not specific to this sign-out action... it's any action.

Answer 2

I work at Microsoft boii. For SAML you want to use the https://sts.contoso.com/adfs/ls endpoint. The wa=wsignoutcleanup is for the WS-Federation protocol. Alot of times it looks like things are working if you use the wa=wsignoutcleanup but trust me it doesn't. There are 4 cookies you usually get with SAML. They are MSIS Auth cookies. There are web application sessions cookies too. Use the right URL to clean up things properly.

In the SAML protocol there is a concept of a SAML logout request and a SAML logout response. This website has examples. https://www.samltool.com/generic_slo_req.php

You should be able to see this with a SAML tracer. There are a couple gotchas with SAML logout. The name id you ask to logout has to be the exact same you used to login.

SAML logouts have to be signed 100% with a X.509 (SSL) Secure Socket Layer cryptography certificate to prevent spoofing. Good luck.