FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Error validating SAML logout request

    Scheduled Pinned Locked Moved
    General Discussion
    3
    4
    446
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anthony.hollingsworth
      last edited by

      Hi

      We have just started with Fusion Auth using a purely SAML integration and have hit an issue with a service proivder intiated logout request

      We think we have the configuration correct but after the user is redirected to the fusion auth logout page a call is made from the UI to the following end point, which results in the error shown below

      https://fa-dev.elateral-dev.io/samlv2/logout/complete

      The SAMLRequest and signiture validate ok for us in a saml validation tool, guessing its some sort of configuration we have wrong.

      fusionauth 2023-09-26 09:44:25.959 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
fusionauth java.lang.NullPointerException: null
fusionauth     at java.base/java.util.ImmutableCollections$ListN.indexOf(ImmutableCollections.java:716)
fusionauth     at java.base/java.util.ImmutableCollections$AbstractImmutableList.contains(ImmutableCollections.java:329)
fusionauth     at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.validateRequest(DefaultSAMLv2ProviderService.java:522)
fusionauth     at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.validateLogoutRequest(DefaultSAMLv2ProviderService.java:466)
fusionauth     at io.fusionauth.app.action.samlv2.logout.CompleteAction.lambda$post$0(CompleteAction.java:53)
fusionauth     at io.fusionauth.app.action.samlv2.BaseSAMLAction.handleSAMLException(BaseSAMLAction.java:111)
fusionauth     at io.fusionauth.app.action.samlv2.logout.CompleteAction.post(CompleteAction.java:41)
fusionauth     at jdk.internal.reflect.GeneratedMethodAccessor475.invoke(Unknown Source)
fusionauth     at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
fusionauth     at java.base/java.lang.reflect.Method.invoke(Method.java:568)
fusionauth     at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:443)
fusionauth     at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:77)
fusionauth     at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:60)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:50)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:45)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:49)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:74)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:58)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:92)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:50)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:113)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:65)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.cors.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:65)
fusionauth     at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
fusionauth     at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:108)
fusionauth     at org.primeframework.mvc.PrimeMVCRequestHandler.handle(PrimeMVCRequestHandler.java:72)
fusionauth     at io.fusionauth.http.server.HTTPWorker.run(HTTPWorker.java:50)
fusionauth     at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
fusionauth     at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
fusionauth     at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
fusionauth     at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
fusionauth     at java.base/java.lang.Thread.run(Thread.java:833)

      Any help much appreciated!

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @anthony.hollingsworth
        last edited by

        Hi @anthony-hollingsworth !

        Welcome to the FusionAuth community!

        What version of FusionAuth are you running?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        joshuaJ 1 Reply Last reply Reply Quote 0
        • joshuaJ
          joshua @dan
          last edited by

          @dan continuing in a support thread.

          1 Reply Last reply Reply Quote 1
          • A
            anthony.hollingsworth
            last edited by

            Found the cause and the solution with the help of Joshua on support

            The SAML logout request was generated by a library we are using, saml2-js. It seems this library had an outstanding pull request to fix the SAML logout request to add in the nameid_format attribute to the nameid element in the logout request. Setting this attribute solved the problem, as per Joshua's suggestion:

            Ideally, when completing a logout request, FusionAuth is provided a Name Id format of:
            urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
            or
            urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

            1 Reply Last reply Reply Quote 1
            • First post
              Last post