SAML Single Logout: NetScaler as SAML SP and Shibboleth as IDP

SAML Single Logout: NetScaler as SAML SP and Shibboleth as IDP

book

Article ID: CTX200392

calendar_today

Updated On:

Description

This article describes the NetScaler and Shibboleth configuration details required for Service Provider initiated SAML Single Logout with NetScaler being the Service Provider (SP) and Shibboleth being the Identity Provider (IDP).

For SAML SSO configuration, refer to CTX138748 - How to Configure NetScaler as SAML Service Provider and Shibboleth as SAML Identity Provider.

Contents

This article contains the following sections:

Background

In the Service Provider initiated logout model, user will use the Service Provider as the portal and will send logout request to the Service Provider. At this point, Service Provider sends a logout request to IDP through user’s browser. IDP then logs out user session and sends confirmation to SP in a logout response, at the receipt of which SP clears the existing session and presents a logout page to the user. This flow is depicted in the following diagram:

User-added image

Prerequisites

  • NetScaler version 10.5 build 55.x.

  • Shibboleth-IdentityProvider version 2.4.2 and higher.

NetScaler Configuration

Traffic Manager (TM) vserver currently retrieves the logout URL of the IDP from assertion. It is the IDP location where you want to POST the SAML Logout Request. However, if some IDP does not send this value, use the parameter "logoutUrl" in samlAction which can be configured with the value for logout URL and this value is used if IDP does not send logoutURL as an attribute. If IDP sends the logoutURL in assertion, then this is used.

  1. Add SAML action as per the following command:
    add authentication samlAction shibboleth -samlIdPCertName shib-idp-242 -samlSigningCertName nssp-cert -samlRedirectUrl "https://idp.wi.int/idp/profile/SAML2/POST/SSO" -samlUserField nameid -samlIssuerName nssp.nsi-test.com -logoutURL https://idp.wi.int/idp/profile/SAML2/POST/SLO

  2. Configure the TM TrafficAction/Policy as per the following command and bind it to the TM vserver so that when the user accesses the logout page, NetScaler will respond with 200OK containing a hidden form with SAML Logout Request. The Logout Request is posted at the IDP’s logout URL and on successful logout at the IDP, IDP will post SAML Response back to NetScaler. On receiving Logout Response from IDP, NetScaler will remove the aaa session and direct the user to the logout page.
    Add tm trafficaction logout –initiatelogout ON
    Add tm trafficpolicy logout http.req.url.contains(“logout”) logout

Shibboleth Configuration

  1. Add the following configuration to handler.xml file:

    <ph:ProfileHandler xsi:type="ph:SAML2SLO"
    inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"         
    outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                             urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                             urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
            <ph:RequestPath>/SAML2/POST/SLO</ph:RequestPath>
    </ph:ProfileHandler>
  2. The IDP metadata file should contain the following element after the <SingleSignOnService…/> element:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://idp.wi.int/idp/profile/SAML2/POST/SLO" />
  3. The SP metadata file should contain the following element after the <md:AssertionConsumerService …/> element:

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://nssp.nsi-test.com/cgi/tmlogout"/>
  4. If you want to send the LogoutUrl as an attribute in the SAML Response from Shibboleth then add the following configuration in attribute-filter.xml file:

    <afp:AttributeFilterPolicy id="logoutUrl">
    <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
    <afp:AttributeRule attributeID="logoutUrl">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
    </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

    Also add the following configuration in attribute-resolver.xml file:

    <resolver:AttributeDefinition id="logoutUrl" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="logoutUrl">
    <resolver:Dependency ref="staticAttributes" />
    <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:logoutUrl" />
    <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.6" friendlyName="logoutUrl" />
    </resolver:AttributeDefinition>
    
    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
    <dc:Attribute id="logoutUrl">
    <dc:Value>https://idp.wi.int/idp/profile/SAML2/POST/SLO</dc:Value>
    </dc:Attribute>
    </resolver:DataConnector>

Sample SAML Logout Request

The following is a sample SAML logout request:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.wi.int/idp/profile/SAML2/POST/SLO" ID="_5fa98c04fb52e1b9d40b973d90d5e8d5" IssueInstant="2014-11-28T05:44:43Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">nssp.nsi-test.com</saml:Issuer><Signature><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#_5fa98c04fb52e1b9d40b973d90d5e8d5"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>LE3yhSWD1kRgN2Vc51iEZSv6/RQ=</DigestValue></Reference></SignedInfo><SignatureValue>M9/smcykeqwLpGOnR+qeocRe3jXjXCxTuQQA0e/g3lhdQMypXvvn6Iirg2DJiQ1zAkeAX7XCqkQAkDWKyGT8nwvn55aroTsJzPOYVObvQz9v0RrSuGbkqswUazZ5uLI4J7TByOq25ULIl5ehMEI4G/ENhK8F5f0UKPpktNf9axE=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIE1DCCA7ygAwIBAgIKGlabWgAAAAAAgjANBgkqhkiG9w0BAQUFADBSMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIbnNpLXRlc3QxITAfBgNVBAMTGG5zaS10ZXN0LU5TSS1EQzEtMjAwOC1DQTAeFw0xNDAyMjExOTEwNTdaFw0xNjAyMjExOTEwNTdaMEcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQ2l0cml4MRowGAYDVQQDExFuc3NwLm5zaS10ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4KE2gs+vLJy78M/sx7cbG/gDDNn5j1KBZbubriBJJixoh95JjS3YJqO1i3Cg0CN8zOLZ+US7TPCtiJfFO85RM6bN05BFftZ1gcCHuKMBZa/1zUk+Gdq300MwvbjNHVj+iY6286ip6LnMnPnwpnWMGE9UuGyKg7tmCeytCAH5VYMCAwEAAaOCAjkwggI1MB0GA1UdDgQWBBQsxFyRvudiAtVlQR+y6FHy+6wlSzAfBgNVHSMEGDAWgBRmGE5kCNNJfSewnZVBoJSExpvinTCB3AYDVR0fBIHUMIHRMIHOoIHLoIHIhoHFbGRhcDovLy9DTj1uc2ktdGVzdC1OU0ktREMxLTIwMDgtQ0EsQ049TlNJLURDMS0yMDA4LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW5zaS10ZXN0LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xkYXA6Ly8vQ049bnNpLXRlc3QtTlNJLURDMS0yMDA4LUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW5zaS10ZXN0LERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEARYed6c0vovmIlp4rXgFTECkQkHTREFW+yn2+sxd6txgSr22Apv5GKtPTxoNAVD7GvPOrZX47fEDDdp4KA6hqunwLxPVRpY/fVpAwom9FZktwjwFy+gnCWSUqovAjz314p633NGD/thQA8/BbaVo0ZLCm1/r0t3Y9ynFYncKWxPAbzvJBWzjcJ20N0ORkGB7wnqaQ6FM6gCMyfQC7hfDfO62ba7kMz4tkSqM11vMQMtkZsYiTfTN8677UZk9Y1hJ7sz6wcS1gRLOH6dt/deERY7bTePxTKoLwNNhunMe1u58gM16iZt/vOsMJHSMQ4USOf/PhGbWPKhUVGn1j9HZvbw==</X509Certificate></X509Data></KeyInfo></Signature><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">_c362284b02861dfb8e40b025e031372e</saml:NameID><samlp:SessionIndex>_24f642fcd26216bc421af33d91e686e3</samlp:SessionIndex><saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2014-11-28T05:39:43Z" NotOnOrAfter="2014-11-28T05:49:43Z"></saml:Conditions></samlp:LogoutRequest>

The SessionIndex in the SAML Logout Request should be the same as the one in the SAML Response Assertion sent from IDP when the session was created.

Sample SAML Logout Response

The following is a sample SAML logout response:

<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nssp.nsi-test.com/cgi/tmlogout" ID="_4c9d0ad748372d11d257516598030c50" InResponseTo="_5fa98c04fb52e1b9d40b973d90d5e8d5" IssueInstant="2014-11-28T05:44:41.232Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">nssp.nsi-test.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_4c9d0ad748372d11d257516598030c50"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>YxJDI0uIXUH+2QgwB6auTvWBJDw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nelmajhH6H5F3wx2IPLd7sXXHTfejwTaE6r0zDCTifMgtIacgkJ2jwEGowj9JcWFS/RKO6skbxRIj9j4F0KF5vuen2WF71IfWfKNdRfXYWbo+/LdILD6sLhRgU/Qpr0CgFyh7RCCRWzJrGFGZIs3HcwzhRurv+UPu0dylhiG5iaNDjXJ3HhQkHQZH21pEzcbFpeW6jHce/brY7OQ5GXxQb5iSPPXetxgD+3X9/ekZKdhmXtqnPOvrbaFJeDi+5jfNhR1NCnNQyE6MwyRgTSt+uGNX33d7TinQ+3XlnFqngIuNnk4L2nS06bUMon+M6MQV6TGujBYL1i+LsLPIqsxBQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDFDCCAfygAwIBAgIVAKYIviNfxiFU9lW64DRokfwN8b2VMA0GCSqGSIb3DQEBBQUAMBUxEzAR

BgNVBAMMCmlkcC53aS5pbnQwHhcNMTQwOTI5MjMwMzQ3WhcNMzQwOTI5MjMwMzQ3WjAVMRMwEQYD

VQQDDAppZHAud2kuaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0D1He1EDxyXk

xhjjj61JH21zBfAqHg8hiTgVuJUyu1ohMKk2qCIdqOa5XD+bdkViBaGzyGcoO6qIx54340/G6CtR

zf+oJJxLgrTvp5dzwgGnbJ7V6r4/7sFuL7bAaBNmZ2scAVteR4pRQCb6haMEyo4khSOmt6Q1QvVS

nygpTRfei7LOQ0ubmqXLU40HEtm6vB8geKeXmrdqd3reZT+dS2BePCJgDrFKJrLIBIKyD2uwca2u

5ll93oyWVCjeHAS2baXcX/S5IT5ADYh/oU1zQl0sbFRzKZdbOwukHd2TtdVknpk3AEKNJ/C7pkSq

DeFAcPdqYCj+b5eCPC9WWa2A4QIDAQABo1swWTAdBgNVHQ4EFgQU0joR/nLtsCZoCWtvh2uLXKpS

DAYwOAYDVR0RBDEwL4IKaWRwLndpLmludIYhaHR0cHM6Ly9pZHAud2kuaW50L2lkcC9zaGliYm9s

ZXRoMA0GCSqGSIb3DQEBBQUAA4IBAQCyk68SmIaqj5ZdqT5zF2egKYtsFDf17TXM2Gsgz1mzAL25

nBYfLMiNMqx+WVee0Wy2R4ADS5vvVjhDwICqmzxj2K8MneEfcta9nrMW8xWbrMaWbLpE+ILoRCk+

f1yNLa5fyXgE0phtIefAD9k7z6dArF8TPKHyOrXkEnpjmcdMGPehikheMlC4qJOwOFXPKBBgEHxk

w8KQcYP3AGlYy0PRnZBDezMjReF2C5e/cKTUGTnazBdpgbL1VWj/CsVLUvnl2PTDz/y4KxYnDt5R

0j2yuZx1Nwg/W8C512xyNBPpG7xORC3DBnIReSuW1SoB6WLrTLiUKvs4c4S/mnPpE7sV</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/></saml2p:StatusCode></saml2p:Status></saml2p:LogoutResponse>

SAML SLO Counters on NetScaler

The following is the SAML SLO counters on NetScaler:

root@ns# nsconmsg -g saml -d stats | grep logout
   17       0                 0 saml_parse_logout_fail
   19       0                 0 saml_tot_sp_init_logout

Debug Messages in ns.log

The following are the debug messages in ns.log file:

root@ns# tail -f /var/log/ns.log

Jan 13 23:22:17 <local0.debug> 10.217.28.160 01/13/2015:23:22:17 GMT  0-PPE-0 : AAATM Message 3296 0 :  "SAML: Parsed attribute: logouturl, value: https://idp.wi.int/idp/profile/SAML2/POST/SLO"
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM HTTPREQUEST 927 0 : Context _57007c730f84b76545378fd2e042fc95@10.252.112.245 - SessionId: 58- nssp.nsi-test.com User _57007c730f84b76545378fd2e042fc95 : Group(s) N/A : Vserver 10.217.28.163:443 - 01/13/2015:23:22:22 GMT GET /logout.html - -
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 928 0 :  "cookie idx is 15, tmaaa cookie 9, temp cookie 95"
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 929 0 :  "SAML: Prepare Signature, Digest Method 1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_5b0a0f6b2f6eec89cdf607eb6935af8d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>Vd8/4X1ydJekYoWX8KMDSKZ/XWI=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 930 0 :  "SAML: Prepare Signature, Signature element is <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_5b0a0f6b2f6eec89cdf607eb6935af8d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>Vd8/4X1ydJekYoWX8KMDSKZ/XWI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Q7iXUJVE59jiSfUZeS4OPhapBNcDnAopi1dMjforxwYanl8QMiFNKOkaiCd8oqtj+YbrvskDx2jZ/RzHbC497qbJBjjo28CDX/EgPmeN1tYaVCSgMcO6xim0R1FOqWDp
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 931 0 :  "SAMLIDP: LogoutResponse: signature method seen is 4"
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 932 0 :  "SAMLIDP: LogoutResponse: digest method seen is 1"
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 933 0 :  "SAML verify digest: digest algorithm 1, input for digest: <saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nssp.nsi-test.com/cgi/tmlogout" ID="_46ea47ff2626dde8a54e95c4d8163e21" InResponseTo="_5b0a0f6b2f6eec89cdf607eb6935af8d" IssueInstant="2015-01-13T23:22:18.006Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">nssp.nsi-test.com</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"></saml2p:StatusCode></saml2p:StatusCode></saml2p:Status></saml2p:LogoutResponse>"
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 934 0 :  "SAML signature validation: algorithm is 4 input buffer is: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_46ea47ff2626dde8a54e95c4d8163e21"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>hk54mIw1a7WB7MqvkkPOsLJx5i4=</ds:DigestValue></ds:Reference></ds:SignedInfo>”
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM HTTPREQUEST 936 0 : Context _57007c730f84b76545378fd2e042fc95@10.252.112.245 - SessionId: 58- nssp.nsi-test.com User _57007c730f84b76545378fd2e042fc95 : Group(s) N/A : Vserver 10.217.28.163:443 - 01/13/2015:23:22:22 GMT GET /logout.html - -
Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT  0-PPE-1 : AAATM Message 937 0 :  "cookie idx is 15, tmaaa cookie 9, temp cookie -1"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : SSLLOG SSL_HANDSHAKE_SUCCESS 1026 0 :  SPCBId 561 - ClientIP 10.252.112.245 - ClientPort 50164 - VserverServiceIP 10.217.28.163 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session Reuse
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : SSLLOG SSL_HANDSHAKE_SUCCESS 1027 0 :  SPCBId 563 - ClientIP 10.252.112.245 - ClientPort 50165 - VserverServiceIP 10.217.28.163 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session Reuse
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : AAATM Message 1028 0 :  "mp creating session on 2, pck 1421191337, state 16"
Jan 13 23:22:25 <local0.err> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : SSLVPN REMOVE_SESSION 1029 0 :  Sessionid 58 - User _57007c730f84b76545378fd2e042fc95 - Client_ip 10.252.112.245 - Nat_ip "Mapped Ip" - Vserver_ip 10.217.28.164 - Errmsg "user initiated remove aaa session"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : SSLVPN Message 1030 0 :  "SSID 3a remove session PE : 2, owner : 0, ref : 0, exp : 0"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : SSLVPN Message 1031 0 :  "removing session 58"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-0 : SSLVPN Message 3309 0 :  "SSID 3a remove session PE : 0, owner : 1, ref : 0, exp : 0"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-0 : SSLVPN Message 3310 0 :  "removing session 58"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-0 : SSLVPN Message 3311 0 :  "vpn log logout message for 58 10ms ticks 9b41c1"
Jan 13 23:22:25 <local0.info> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-0 : AAATM LOGOUT 3312 0 : Context _57007c730f84b76545378fd2e042fc95@10.252.112.245 - SessionId: 58- User _57007c730f84b76545378fd2e042fc95 - Client_ip 10.252.112.245 - Nat_ip "Mapped Ip" - Vserver 10.217.28.163:443 - Start_time "01/13/2015:23:22:17 GMT" - End_time "01/13/2015:23:22:25 GMT" - Duration 00:00:08  - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "FreedViaDHT" - Group(s) "N/A"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : AAATM Message 1032 0 :  "SAMLSP dht-free: Core 2: freeing entry for _4f91c30925c5a15d21ed176a44690ec3"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-2 : AAATM Message 1033 0 :  "SAMLSP updateNotification: Core 2: Logout message received for , DHT delete returned 0"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-0 : AAATM Message 3313 0 :  "SAMLSP dht-free: Core 0: freeing entry for _4f91c30925c5a15d21ed176a44690ec3"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-0 : AAATM Message 3314 0 :  "SAMLSP updateNotification: Core 0: Logout message received for , DHT delete returned 0"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-1 : SSLVPN Message 938 0 :  "SSID 3a remove session PE : 1, owner : 0, ref : 0, exp : 0"
Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT  0-PPE-1 : SSLVPN Message 939 0 :  "removing session 58"

 

Issue/Introduction

This article describes the NetScaler and Shibboleth configuration details required for Service Provider initiated SAML Single Logout with NetScaler as SP and Shibboleth as IDP.