When testing Logout on a 4.0.1 IdP without backchannel support, I saw the IdP PropagateLogout flow was sending the Logout requests to SPs via the Artifact profile, unaware the IdP does not have an endpoint to resolve the artifact.
I found I could get Logout working by commenting the Artifact profile out in shibboleth.OutgoingSOAPBindings in system/conf/saml-binding-config.xml - but that is a {{system/}} file.
I think this is a legitimate use case (Logout with no back-channel) and it should be possible to stop the IdP from sending logout requests via the artifact profile - with just standard config, without touching system/ files.
Thanks a lot in advance for looking into this!
Cheers, Vlad
Environment
None
Activity
Vlad Mencl
January 26, 2021 at 12:41 AM
Thanks for the reply.
Yes, this works exactly as it should.
Apologies, missed this setting and assuming the tweak is not there ... it is.
Sorry, this ticket can now be closed....
Scott Cantor
January 25, 2021 at 11:39 PM
Unless there's a bug this should be controlled by the idp.artifact.enabled property, that's how you prevent outbound artifact use if you don't support it.
When testing Logout on a 4.0.1 IdP without backchannel support, I saw the IdP PropagateLogout flow was sending the Logout requests to SPs via the Artifact profile, unaware the IdP does not have an endpoint to resolve the artifact.
I found I could get Logout working by commenting the Artifact profile out in
shibboleth.OutgoingSOAPBindingsinsystem/conf/saml-binding-config.xml- but that is a {{system/}} file.I think this is a legitimate use case (Logout with no back-channel) and it should be possible to stop the IdP from sending logout requests via the artifact profile - with just standard config, without touching
system/files.Thanks a lot in advance for looking into this!
Cheers,
Vlad