ProfileConfiguration-SAML2Logout
- Scott Cantor
Options specific to the SAML 2.0 Single Logout profile:
Name | Type | Default | Description |
|---|---|---|---|
qualifiedNameIDFormats | Collection<String> | See below | |
signSOAPRequests | Boolean | See below | Whether to sign SOAP logout requests |
clientTLSSOAPRequests | Boolean | See below | Whether to rely on client TLS for SOAP logout requests |
Guidance
The qualifiedNameIDFormats option was added to deal with an interoperability issue involving the matching of SAML <NameID> elements between the values issued by the IdP and values received in <LogoutRequest> messages. The two have to "match", and the IdP was imposing a strict rule that required all the various bits of a <NameID> to be equal, which is the conservative approach, but it relies on SPs not modifying the data they receive unnecessarily.
While that's the expected behavior, not all SPs do this correctly, and there are some edge cases in the standard whereby some <NameID> Formats are defined in such a way that the NameQualifier and SPNameQualifier attributes are permitted to "default" to values based on the entityIDs of the IdP and SP at runtime.
The IdP now supports this defaulting during its logout comparisons for the two Formats for which this defaulting is explicitly defined in the standard, namely "persistent" and "transient". The configuration option allows deployers to add additional custom Formats to the set for which this behavior is in effect.
While it is possible to add additional standard Formats to this set, it bears noting that none of them are defined by the standard to be compared in that fashion. They shouldn't even have qualifiers, in fact.
The signing and TLS options pertain to the handling of SOAP-based logout requests, and the defaults are generally appropriate; signing is used when the peer hosts SOAP over a standard TLS port, while client TLS is used when a non-default port is used (for compatibility with older systems).
Â