Signed Sign-On Logout Response Is Not Signed If the Signed Logout Request Is Initiated by the IDP

(Doc ID 2366095.1)

Last updated on MARCH 01, 2018

Applies to:

Oracle BigMachines CPQ Cloud Service - Version 11.0 and later
Information in this document applies to any platform.

Symptoms

When the SSO requires a signed request, both the request and response of logging in and logging out should be signed.

This works when logging in through SITENAME.bigmachines.com/sso/saml_request.jsp and logging out by clicking on the "Log Out" button in CPQ Cloud sites. However, if this logout request is from the IDP, the CPQ Cloud session will end as logging out but the SAML response to the IDP is not signed.

User will need to log out again manually. This issue is caused due to the unsigned logout response from CPQ Cloud.

Steps to reproduce:

  1. Choose "Yes" for "Require Signed Request?", upload the certificate and fill out all the required fields for it when setting up SSO in Admin > Single Sign-On Settings. Fill out the rest of the fields to finish setting up.
  2. After SSO is setup and working correctly. Log in through SITENAME.bigmachines.com/sso/saml_request.jsp.
  3. Keep the CPQ Cloud site on one tab. Open a new tab and log in to IDP directly.
  4. Log out IDP.
  5. An error may show up depending on the IDP. Refresh the page of CPQ Cloud, the user is logged out. Refresh the page of IDP, user is not logged out from IDP. Check the SAML request and response for logging out from IDP, the request is correct, but the response is:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutResponse Destination="https://sitidm.colt.net:8443/nidp/saml2/slo"
   ID="_a37dc3b4ec0e3675fa0bfe652cfcdbfe" InResponseTo="idbl90czksiZBBLteXUTBNNv5W7e0"
   IssueInstant="2018-02-08T21:39:59.534Z" Version="2.0"
   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
       xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://coltuat1.bigmachines.com/sso</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
</saml2p:LogoutResponse>

The IDP can be logged out in Step 5 if the response is signed. The expected response is:

<samlp:LogoutResponse Destination="LOGOUT_DESTINATION"
  ID="idzQAUaYnx7PuSAT-42hkxnu3k89Y" InResponseTo="_bd86878a8e19c3b695f48da643bed6b0"
  IssueInstant="2018-01-26T18:10:25Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer>IDP_URL</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#idzQAUaYnx7PuSAT-42hkxnu3k89Y">
              <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transforms>
              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              <ds:DigestValue>/+V5WWV32VmnSe4eAF/0relwICw=</ds:DigestValue>
          </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
          SIGNATUREVALUE
      </ds:SignatureValue>
      <ds:KeyInfo>
        CERTIFICATE       
      </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
</samlp:LogoutResponse>
 

Changes

No change were made to the site. The SSO functionality in CPQ Cloud was not designed to return a signed response to a logout request initiated by IDP.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms