djangosaml2idp logout throwing ServiceError exception: 'str' object has no attribute 'destination'

Question

I am trying to implement SAML in Django and I have two servers example.com and idp.example.com. On the IDP server, I am using djangosaml2idp. I have been able to implement the login functionality successfully, but the logout is failing on the IDP server.

Checking logs on idp.example.com reveals the following issue:

ServiceError: 'str' object has no attribute 'destination'
{'status': 400}
Traceback (most recent call last):
  File "/home/user/env/lib/python3.9/site-packages/djangosaml2idp/views.py", line 394, in get
    hinfo = idp_server.apply_binding(binding, resp.__str__(), resp.destination, relay_state, response=True)
AttributeError: 'str' object has no attribute 'destination'

The logout response is as follows:

<?xml version="1.0"?>
<ns0:LogoutResponse xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-ut92BEZeWf4Bymt5n" InResponseTo="id-Jw2GziOSEBcu0T0xF" Version="2.0" IssueInstant="2023-05-01T06:17:12Z" Destination="https://example.com/saml2/ls/post/"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/idp/metadata/</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-ut92BEZeWf4Bymt5n"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>9FfKP4MG0dA+5qyvrQlImjVjTSo=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>nJcmrDFNtsp/ngbHxxltj7A+KFfuDj4iM7myN9ZO0QmfkX1iwIu+i6+0JZ3j58m8
XJuMk3da2+DMiV9hnTTIyz/aMNWZmPvsxL7gUoSSyqtC6QDUcQcqubRjuA5pwJNW
b/kG5WxpAwWp5IF/suLCrbP00F+to633bGij/WHvz5EnO93YBcjNcLGJIw3lD+Uw
v6uKsT/dh/qV08b84VnBXZYJN7qOz9/YZ4cA4DeApgEn1Yl7PC/sSSoiwXt7mr3Y
xVqsJjbxVNBHES+AQUd6/paO6cc6qgoQIsmHOnz9//tyPMgU3xOZ1P5nYvcOjX0K
5baIISRe0IGcQfoib7FJWg==</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDGzCCAgOgAwIBAgIUd0aRekN/sTmINbOXE7IragHy5UwwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAwwSaWRwLnJlZ2V4cGxvcmUuY29tMB4XDTIzMDQyMDEwNTkxN1oXDTMzMDQxNzEwNTkxN1owHTEbMBkGA1UEAwwSaWRwLnJlZ2V4cGxvcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvzdfnFfUhoTmuRpqBLabIBiWUjRZZ2OwxfJlRki1eyOjmi/lySbCY3/PSQG+KZ47mpxiz2+gTkdj6hTilRGvvCpXsJuHvNWE4w2yS6n8Weps40Rpb9uEihfljhCL2h/ImRakXohPd8x/0FXbozZZLLwudyhEpBFcRjnHoFgxmnVFQyox2+M6tpBOOg6sRTVpcX6eVpfxKPXg+Anp5xWQtyXI0+gGRqB6bTh/BZVLIgCNj/KpoU4f7AjcFVALe6GfakXPlAjPvN1W0GJhIwfDLGtYgNA5cAW5GebBIlDOvZjRFet9+sJ6XiqR5RZnZQHe/NEpS5TrQXLhM3y60x6lrQIDAQABo1MwUTAdBgNVHQ4EFgQUXhIrqxid+CLwzXs6xkjNtAob3mQwHwYDVR0jBBgwFoAUXhIrqxid+CLwzXs6xkjNtAob3mQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfrCNy+9OHbGGWKDM6KIzsw+q+rUlq55mKENR/E57UiJn+RauNx2rneXKSVcDuNVD+Gk5nXc3wqzbmuCKxvjF5Sdb/E4uwhI1ohw0tieAqQu5k1juMuCeGVeAMClFtoc681b3nUsKS5LyUJBtO8rxLEMC6MT70JB3xxqVgzCe1Q5VhwUfPiyEAXsH4WfjolPCKogZF1dE/dRA2o3Iw4J/yb+RiMf6cukELogibQfHom0No7YzH0xsSsnFAPaukySJdpuW6DUwRVDTSPaYPDFDadqY2FrlzWPvSy6p2KkcclPWmsj/kjAfXmI4MrXJ7t5WUzQUFw2mfab/rKBSn8i4uA==</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status></ns0:LogoutResponse>

Logout Request is:

<ns0:LogoutRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-zbR5HVY133M5pBlKh" Version="2.0" IssueInstant="2023-08-30T10:52:22Z" Destination="https://idp.example.com/idp/slo/post/" Reason=""><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.com/saml2/metadata/</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#id-zbR5HVY133M5pBlKh"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue>ofpQOkMZCD11c6gU/tiM1PLVS4qZeYpD22vFKlMWkUA=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>kZJgB1ukq56NFI47qUIYsV1zfP+yJcGGa3609kvL9pWor+li2x4mkk2H5EKRwF+E
9AfI4OtYFCNwOWWATNeG9C7waQbJQnhxgJaucBukizL0UGTQtNlKbAy+U5u484a5
NGOM3j4TTisUk0+h2HUJmcUa35mpKPbZeds+PAJvSLKbt+um3jYkO8tj4jr6wDMq
CszmV3a+aKIKg80WACdXr3pNcTrGF/PDYkR4p0IvgBOulY3FmNbuUuIais/9ATZx
Wdbb3MJW29ZxuahBwRm6o4BB1NfsLbgkDlP8Fr2TM498bGYzcuKsBPjebXzqVgq+
qFGLJCUATKxWnJ+ZfPSJ2g==</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDEzCCAfugAwIBAgIUTIpS3aqjeeTcqjFO+jzZWgX+wlIwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOcmVnZXhwbG9yZS5jb20wHhcNMjMwNDIwMDUyNTIzWhcNMzMwNDE3MDUyNTIzWjAZMRcwFQYDVQQDDA5yZWdleHBsb3JlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUdoZu1vncPkqu0ZYleKxZDlvICyV5PlriIwUUO6hO2yx52c/LBRGzZcSYjgNCe9meS1yZTKRpUtGSgFWBAAu9ynJ8FiEstAtP3I5CNiwokcmnioXBpqSon75pA2+AIRVAlTch9V3hEsx2+2uXuNEkyWPFA/STHL5JBynXnia3g7TaNpVc3lyrbTdjiA0C0BTAC7UgYJxcHkr5y8FRGw1hcI0+DtAmq0uNDOYn557dKFIYQjzZz/7rzM84XtiZoqa9eNQDTJYftfFuKIXmzcXdrREDCbv1p4feblvDel6XevsgpJZhcO8Q1yiq0To+AijHY9nrJxr8g8s4chqkUBqcCAwEAAaNTMFEwHQYDVR0OBBYEFHHzmnOiGf9Txy5nbeKPrW/YJWBBMB8GA1UdIwQYMBaAFHHzmnOiGf9Txy5nbeKPrW/YJWBBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAH2kJVCGo8cf+KhwmUTrZGqs5i1Wv7OdDS5qcpbVHSbMUUZfSoSTBQShoU/BgSYYW7bIBtSn9ElfvQJ6PwgRRSbw1RU8rqscaCa7eqSsQygLoz7diwMieBdcLjKVLKoBwfh1GZgzUIEmSzGV8GjLpdhw4qTLKNOttIA0sfNNYxZjSO1wJYa5fW6ZynHaX2hU34SFmEeMmuNl4UdQ4xFkZXKo+Ev2jp28zr85DVZK7oULCSniqIPgCTIhggTjk0s8zo4SOGzb2W0+BJOmUn0AL86a++VEsH+p0pmaEHDgH2ujG0Rg0tpqgtEjL6CmixgbwKgUuyVcJR3K6g+aeb5RoGM=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:NameID SPNameQualifier="https://example.com/saml2/metadata/" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</ns1:NameID><ns0:SessionIndex>id-XgRiGXMCTBEbnEIWN</ns0:SessionIndex></ns0:LogoutRequest>

I tried checking both logout request and response on https://samltool.io/ and found that the logout request signature is invalid. Below is the response displayed on saml tool:

XMLJS0013: Cryptographic error: Invalid digest for uri '#id-zbR5HVY133M5pBlKh'. Calculated digest is ClG8RdIiatfXvaWlfclZRbsqo+cxcjBcoymF5g/j0R0= but the xml to validate supplies digest ofpQOkMZCD11c6gU/tiM1PLVS4qZeYpD22vFKlMWkUA=

Answer 1

There can be an issue with the destination attribute when processing the SAML logout request on the IDP server using the djangosaml2idp library.

The SAML LogoutResponse's destination attribute is not correctly parsed by djangosaml2idp, leading to the AttributeError.

To resolve this issue, you can double-check your SAML configuration on both the Service Provider (SP) side (example.com) and the Identity Provider (IDP) side (idp.example.com). Ensure that the destination attribute in the SAML LogoutResponse matches the expected URL on the IDP side.