LogoutRequest NameID Format is Required?

[gcabrerap]

Hello guys,

We were doing an integration with ADFS, in the Logout section this could not end the session, reviewing the ADFS logs we found the following error:

Error message: MSIS7082: Unsolicited SAML logout response received.

Upon reviewing, we found that the "create_logout_request" function sends NameID as follows:

  xml = xmlbuilder.create({
    'samlp:LogoutRequest': {
      '@xmlns:samlp': XMLNS.SAMLP,
      '@xmlns:saml': XMLNS.SAML,
      '@ID': id,
      '@Version': '2.0',
      '@IssueInstant': (new Date()).toISOString(),
      '@Destination': destination,
      'saml:Issuer': issuer,
      'saml:NameID': name_id,
      'samlp:SessionIndex': session_index
    }
  }).end();

We make a change and the logout is completely completed:

  xml = xmlbuilder.create({
    'samlp:LogoutRequest': {
      '@xmlns:samlp': XMLNS.SAMLP,
      '@xmlns:saml': XMLNS.SAML,
      '@ID': id,
      '@Version': '2.0',
      '@IssueInstant': (new Date()).toISOString(),
      '@Destination': destination,
      'saml:Issuer': issuer,
      'saml:NameID':  {
        '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
        '#text': name_id,
      },
      'samlp:SessionIndex': session_index
    }
  }).end();

Could it be reviewed by you to add it in a next version?

Thanks...

[mcab]

create_logout_request is called only by create_logout_request_url, which lets you specify options.name_id to set this value:

saml2/lib/saml2.coffee

Lines 677 to 680 in bd15dc9

	create_logout_request_url: (identity_provider, options, cb) =>
	identity_provider = { sso_logout_url: identity_provider, options: {} } if _.isString(identity_provider)
	options = set_option_defaults options, identity_provider.shared_options, @shared_options
	{id, xml} = create_logout_request @entity_id, options.name_id, options.session_index, identity_provider.sso_logout_url

saml2/lib/saml2.coffee

Lines 91 to 106 in bd15dc9

	create_logout_request = (issuer, name_id, session_index, destination) ->
	id = '_' + crypto.randomBytes( 21 ).toString( 'hex' )
	xml = xmlbuilder.create
	'samlp:LogoutRequest':
	'@xmlns:samlp': XMLNS.SAMLP
	'@xmlns:saml': XMLNS.SAML
	'@ID': id
	'@Version': '2.0'
	'@IssueInstant': (new Date()).toISOString()
	'@Destination': destination
	'saml:Issuer': issuer
	'saml:NameID': name_id
	'samlp:SessionIndex': session_index
	.end()
	{id, xml}

Is it possible to just define the format you want for the name_id there?

// From the example, not guaranteed to work:
app.get("/logout", function(req, res) {
  var options = {
    name_id: {
        "@Format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
        "#text": user_session_name_id // somehow pulled from the user's session
    },
    session_index: session_index
  };

  sp.create_logout_request_url(idp, options, function(err, logout_url) {
    if (err != null)
      return res.send(500);
    res.redirect(logout_url);
  });
});