question

KasiaKielbasaGroup-9412 avatar image
1 Vote"
KasiaKielbasaGroup-9412 asked ShwetaMathur edited

Azure b2c as identity provider for zendesk application problem with sessionIndex on logout

Hi,

I have set the SSO for Zendesk with Azure b2c tenant as Identity Provider (Azure b2c local accounts only) and idp initiated flow using this documentation: https://docs.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy. Here is how Technical Profile and Relying Party configured in Custom Policy for SAML:

 <ClaimsProviders>
     <ClaimsProvider>
         <DisplayName>Saml Token Issuer</DisplayName>
         <TechnicalProfiles>
             <!-- Sample: SAML Token Issuer technical profile -->
             <TechnicalProfile Id="Saml2AssertionIssuer">
                 <DisplayName>Token Issuer</DisplayName>
                 <Protocol Name="SAML2" />
                 <OutputTokenFormat>SAML2</OutputTokenFormat>
                 <Metadata>
                     <Item Key="IssuerUri">http://{tenant}/{}.onmicrosoft.com/B2C_1A_signin_Zendesk</Item>
                     <Item Key="XmlSignatureAlgorithm">Sha256</Item>
                 </Metadata>
                 <CryptographicKeys>
                     <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
                     <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
                     <Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_SamlIdpCert" />
                 </CryptographicKeys>
                 <InputClaims />
                 <OutputClaims />
                 <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
             </TechnicalProfile>
             <!-- Session management technical profile for SAML based tokens -->
             <TechnicalProfile Id="SM-Saml-issuer">
                 <DisplayName>Session Management Provider</DisplayName>
                 <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
             </TechnicalProfile>
         </TechnicalProfiles>
     </ClaimsProvider>
 </ClaimsProviders>

 <RelyingParty>
     <DefaultUserJourney ReferenceId="CustomSignUpOrSignIn" />
     <UserJourneyBehaviors>
         <SessionExpiryType>Rolling</SessionExpiryType>
         <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
         <ScriptExecution>Allow</ScriptExecution>
     </UserJourneyBehaviors>
     <TechnicalProfile Id="PolicyProfile">
         <DisplayName>PolicyProfile</DisplayName>
         <Protocol Name="SAML2" />
         <Metadata>
             <Item Key="IdpInitiatedProfileEnabled">true</Item>
             <Item Key="XmlSignatureAlgorithm">Sha256</Item>
         </Metadata>
         <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="sub" />
             <OutputClaim ClaimTypeReferenceId="givenName" />
             <OutputClaim ClaimTypeReferenceId="surname" />
             <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
         </OutputClaims>
         <SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" ExcludeAsClaim="false" />
     </TechnicalProfile>
 </RelyingParty>

In manifest I have set up identifierUris, samlMetadataUrl which is similar to the one from Zendesk documentatation(https://support.zendesk.com/hc/en-us/articles/4408887505690-Enabling-SAML-single-sign-on):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="yoursubdomain.zendesk.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yoursubdomain.zendesk.com/access/saml"/>;
</SPSSODescriptor>
</EntityDescriptor>


Sign in works as expected.

For sign out I am calling url from SingleLogoutService (setup as remote logout URL in Zendesk configuration) <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signin_Zendesk/samlp/sso/logout"/>;.
Sign out doesn't work. I am getting the message from Azure b2c: 'AADB2C99046: The logout request does not include a session index.'. Logout request is issued by SP, ie. Zendesk as per their implementation and it just happens to not contain session index:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-ca7b06d7-1119-490c-8567-577167fa5f62" IssueInstant="2022-05-03T21:51:38Z" Version="2.0">
<saml:Issuer>https://blabla.zendesk.com</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@test.com</saml:NameID>
</samlp:LogoutRequest>

What can be done in this situation? Should there be additional wrapper service between Azure b2c and Zendesk that will read the session index from SAML login response and add it to logout request issued by zendesk and then this new request can be send to SingleLogoutService from Azure b2c tenant?
Or there is a smarter way of handling SAML logout in Azure when I don't have session index on logout request from Zendesk (maybe I am missing something in my configuration)?

azure-ad-b2cazure-ad-saml-sso
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KasiaKielbasaGroup-9412,

Thanks for reaching out and apologies for delay in response.

The only truly reliable way to completely log out of SAML SSO is to delete all sessions, including identity provider sessions and all service provider sessions. Normally, this can be done simply by closing the browser.

Thanks,
Shweta

0 Votes 0 ·

0 Answers