Reputation: 193
Shibboleth SAML2 LogoutRequest needs to include NameID
I am trying to set up SLO with a Shibboleth SP and a Gigya IDP. The IDP has SLO set up and all the redirections appear to be working, however the IDP is expecting a saml:NameID tag to be present within the LogoutRequest, and Shibboleth is not doing this by default.
Here is the request that Shibboleth is currently generating:
<samlp:LogoutRequest
Destination="............"
ID="_863ce41c221f009f853ebe1fbad30548" IssueInstant="2016-09-01T01:14:44Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">..........</saml:Issuer>
<samlp:Extensions><aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"/></samlp:Extensions>
<saml:EncryptedID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<xenc:CipherData>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedID>
</samlp:LogoutRequest>
I would like to have the below tag included within the samlp:LogoutRequest tag.
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">.......</saml:NameID>
I know a nameid is being generated because I see the tag present in the login response saml. Can the SLO request be configured to include this value? Thanks!
Upvotes: 1
Views: 1185
Answers (1)
Reputation: 193
As Mehmet Y. pointed out, the nameID attribute was in fact already being included, though it was encrypted. I had to explicitly set the encryption attribute on the Logout tag to false in order to get the IDP to recognize it.
Upvotes: 1
Related Questions
- Django SAML logout failing
- Shibboleth SP logout does not redirect to my correct server URL
- Construct a signed SAML2 LogOut request
- Drupal Shibboleth Logout
- Shibboleth not appending any nameid to SAML response
- How to logout from shibboleth
- Global Logout using in Shibboleth by deleting IDP cookie
- Shiro Session logout not working
- Single Log out not working with Shibboleth IdP
- SAML 2.0 LogoutRequest