Facilitate signing Logout messages

Description

SAML2 Single Logout Profile requires LogoutRequest and LogoutResponse messages to be signed when sent over HTTP Redirect or POST bindings. It can be achieved right now by setting signing="front" or signing="true", but it has a side effect of signing every other message (which is probably unnecessary). If it could be done implicitly (and by default), that could make deploying logout easier.

Environment

None

Activity

Scott Cantor
November 15, 2011 at 3:45 PM

Sorry, I meant the former, me testing against an IdP with a test account. I have a lot of logout related bugs to fix. At some point testing by you would be helpful too, but I can do a lot of it up front.

I'll send you email directly with some information once I have a testbed that's publically accessible.

bajnokk@niif.hu
November 15, 2011 at 11:03 AM
(edited)

Scott, thanks for the fix!

What do you mean by testbed? We can exchange metadata, so that you could test the changes yourself by using one of our public test IdPs. If you want us to test, then please specify, what parts of the stack needs to be recompiled.

Scott Cantor
November 9, 2011 at 11:38 PM

http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3541

Do you have a public testbed with logout enabled that could be used to test additional logout fixes and improvements?

Fixed

Details

Assignee

Reporter

Components

Fix versions

Created November 4, 2011 at 11:17 AM
Updated June 22, 2021 at 6:53 PM
Resolved November 9, 2011 at 11:38 PM