I am extremely new to SAML so please forgive me if I use the wrong terminology. I am using FusionAuth 1.30.2 as a SAML IDP and running into issues where FusionAuth generates a 500 Internal Server Error when it receives the logout request. Does FusionAuth expect the logout request to be a specific format?
My SP is using the following logout request template, but I have no idea if this is correct.
<samlp:LogoutRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="id%%RANDOM_ID_HEX_32%%" Version="2.0" IssueInstant="%%NOW_WITH_MS%%" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{{IDP_APP_ID}}</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">%%NAME_ID%%</NameID>
samlp:SessionIndex%%SESSION_INDEX%%</samlp:SessionIndex>
</samlp:LogoutRequest>
{{IDP_APP_ID}} corresponds to the Issuer field I have configured in FusionAuth
Error from FusionAuth docker container logs
2021-10-31 6:21:54.535 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
at java.base/java.util.Objects.requireNonNull(Objects.java:222)
at java.base/java.util.ImmutableCollections$AbstractImmutableList.indexOf(ImmutableCollections.java:166)
at java.base/java.util.ImmutableCollections$AbstractImmutableList.contains(ImmutableCollections.java:197)
at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.validateRequest(DefaultSAMLv2ProviderService.java:468)
at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.validateLogoutRequest(DefaultSAMLv2ProviderService.java:415)
at io.fusionauth.app.action.samlv2.logout.CompleteAction.lambda$post$0(CompleteAction.java:46)
at io.fusionauth.app.action.samlv2.BaseSAMLAction.handleSAMLException(BaseSAMLAction.java:114)
at io.fusionauth.app.action.samlv2.logout.CompleteAction.post(CompleteAction.java:40)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:51)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:86)
at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:196)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:832)
FusionAuth Event Log
Incoming SAML v2 LogoutRequest.
Binding:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Deflated and encoded request:
lZFBS8QwEIXv/RUl9+4maZOtoS0KeymsHlzx4G02mdVCm9ROCvvzrV08CCJ6fbz38eZNRTD0ozmE1zDHR3yfkWJyGXpPNZsnbwJQR8bDgGSiNce7+4ORG24GjOAgAkvafc06V5alBqF351KLorBaK6VzK9XJFlI5cCx9xom64Gu2xFnaEs3Yeorg4yJxKTLBs1w8cW2kMGoxcf7C0rWKWUv+XmicQgw29KxJ0rRa8VP6h0OACKe4FGPNG4yI1faaXTEPi73d/xPjg8dbvMAw9rixYai2V8xKvM59RPrcovUOL42zSvOzPGXS2ZusyNFmIIXMtMJCCLkDC7ba/hBMvtRv32uSDw==
Decoded XML request:
<?xml version="1.0" encoding="UTF-8"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="id8886a167f86144c665563c25bc425dad" Version="2.0" IssueInstant="2021-10-31T06:21:52.000Z">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">hapee</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">none@example.com</NameID>
samlp:SessionIndexdc560f2b-2dc9-43ec-a212-65e41127acac</samlp:SessionIndex>
</samlp:LogoutRequest>
SP debug logs
1635661312.256012 [00] generated random id: 8886a167f86144c665563c25bc425dad
1635661312.256031 [00] We will send this LogoutRequest to the IDP:
<samlp:LogoutRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="id8886a167f86144c665563c25bc425dad" Version="2.0" IssueInstant="2021-10-31T06:21:52.000Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">hapee</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">none@example.com</NameID>
samlp:SessionIndexdc560f2b-2dc9-43ec-a212-65e41127acac</samlp:SessionIndex>
</samlp:LogoutRequest>
1635661312.256088 [00] Checking ID: flags=0x11 expecting (null) (xpath=/samlp:LogoutRequest/@ID)
1635661312.256111 [00] Checking node 0x7f79947809e0 ID (0/1): name=ID value=id8886a167f86144c665563c25bc425dad attr_type=1 expect=(null). ret=0
1635661312.256119 [00] Checking ID: nb_nodes_total=1
1635661312.256123 [00] LogoutRequest ID: id8886a167f86144c665563c25bc425dad
1635661312.256207 [00] request: deflated+base64+urlencoded: lZFBS8QwEIXv%2fRUl9%2b4maZOtoS0KeymsHlzx4G02mdVCm9ROCvvzrV08CCJ6fbz38eZNRTD0ozmE1zDHR3yfkWJyGXpPNZsnbwJQR8bDgGSiNce7%2b4ORG24GjOAgAkvafc06V5alBqF351KLorBaK6VzK9XJFlI5cCx9xom64Gu2xFnaEs3Yeorg4yJxKTLBs1w8cW2kMGoxcf7C0rWKWUv%2bXmicQgw29KxJ0rRa8VP6h0OACKe4FGPNG4yI1faaXTEPi73d%2fxPjg8dbvMAw9rixYai2V8xKvM59RPrcovUOL42zSvOzPGXS2ZusyNFmIIXMtMJCCLkDC7ba%2fhBMvtRv32uSDw%3d%3d
1635661312.256223 [00] Redirecting to idp_logout_url page http://192.168.0.250:9011/samlv2/logout/37a61d5c-67d5-3395-8cb7-f1d779f2ceef?SAMLRequest=lZFBS8QwEIXv%2FRUl9%2B4maZOtoS0KeymsHlzx4G02mdVCm9ROCvvzrV08CCJ6fbz38eZNRTD0ozmE1zDHR3yfkWJyGXpPNZsnbwJQR8bDgGSiNce7%2B4ORG24GjOAgAkvafc06V5alBqF351KLorBaK6VzK9XJFlI5cCx9xom64Gu2xFnaEs3Yeorg4yJxKTLBs1w8cW2kMGoxcf7C0rWKWUv%2BXmicQgw29KxJ0rRa8VP6h0OACKe4FGPNG4yI1faaXTEPi73d%2FxPjg8dbvMAw9rixYai2V8xKvM59RPrcovUOL42zSvOzPGXS2ZusyNFmIIXMtMJCCLkDC7ba%2FhBMvtRv32uSDw%3D%3D