Single Logout with Shibboleth SP 2.5.1

Paul Brears pbrears at rm.com
Thu Feb 21 10:22:07 EST 2013 

I've a test environment  with an IdP (non-Shibboleth) that has basic
front channel SLO functionality.

I'm testing it with two Shibboleth SP servers, both on 2.5.1. One is
Centos 6.3 the other is Windows 2012. Both are fresh out of the box
Shibboleth SP installs.

 

The IdP sends singed Logout requests to both SPs via
/Shibboleth.sso/SLO/POST

It's set with a NameID in the Logout Request but no session index; so it
should remove all sessions for that NameID (which in this case is a
PersistentID)

 

The Windows server works perfectly and sends Success message back to the
IdP correctly.

<samlp:Status>

                                <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

 

However the Linux server always responds:

<samlp:Status>

                                <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester">

                                                <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>

                                </samlp:StatusCode>

                                <samlp:StatusMessage>Error processing
request.</samlp:StatusMessage>

</samlp:Status>

 

On both servers you get the following debug lines: 

 

DEBUG OpenSAML.MessageDecoder.SAML2 [8]: message from (http://IDP)

DEBUG OpenSAML.MessageDecoder.SAML2 [8]: searching metadata for message
issuer...

DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [8]: evaluating message
flow policy (replay checking on, expiration 60)

DEBUG XMLTooling.StorageService [8]: inserted record
(_941e612d-1d51-4f0d-8c60-9e0d04b51084) in context (MessageFlow) with
expiration (1361448649)

DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [8]: validating signature
profile

DEBUG XMLTooling.TrustEngine.ExplicitKey [8]: attempting to validate
signature with the peer's credentials

DEBUG XMLTooling.TrustEngine.ExplicitKey [8]: signature validated with
credential

DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [8]: signature verified
against message issuer

DEBUG Shibboleth.SessionCache [8]: searching for session
(_........................)

DEBUG Shibboleth.SessionCache [8]: reconstituting session and checking
validity

 

But when it's working correctly on the windows server we also get the
following afterwards: 

INFO Shibboleth.SessionCache [2]: request to logout sessions from
(http://IDP) for (HASH=)

DEBUG XMLTooling.StorageService [2]: inserted record (HASH=) in context
(Logout) with expiration (1361448323)

DEBUG Shibboleth.SessionCache [2]: searching for session (_..........)

DEBUG Shibboleth.SessionCache [2]: reconstituting session and checking
validity

DEBUG XMLTooling.StorageService [2]: deleted record (HASH=) in context
(NameID)

DEBUG Shibboleth.Logout.SAML2 [2]: session cache returned 1 sessions
bound to NameID in logout request

INFO Shibboleth.SessionCache [2]: removed session (_..........)

 

On the Linux server the next thing it does is build the SAML Response
with the error message.

DEBUG OpenSAML.MessageEncoder.SAML2Redirect [8]: validating input

DEBUG OpenSAML.MessageEncoder.SAML2Redirect [8]: marshalling, deflating,
base64-encoding the message

DEBUG OpenSAML.MessageEncoder.SAML2Redirect [8]: marshalled message:

 

I've got logging set to DEBUG but I can't see any interesting entries on
the failing SP. 

 

I've confirmed in both cases the persistent NameID being sent in the
Logout request matches the one originally sent when the user
authenticated.

 

Is there any other debugging I can enable to see why it's not processing
on the Linux server?

 

Paul
____________________________________________________________________

RM Unify is your Launch Pad to the Cloud - a single sign-on system,
Application Library and Management Console designed specifically
for education.

RM Unify will be available in March 2013 - sign up today to be amongst
the first to join the single sign-on revolution!
Find out more or sign up today > www.rm.com/rmunify

____________________________________________________________________

P.S. Think Green - don't print this email unless you really need to.

This message is confidential. You should not copy it or disclose its contents to anyone. You may use and apply the information only for the intended purpose. Internet communications are not secure and therefore RM Education does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of RM Education. If this email has come to you in error please delete it and any attachments. Please note that RM Education may intercept incoming and outgoing email communications.

RM Education Ltd is a company registered in England and Wales, Company Reg. No: 01148594; Registered Office: New Mill House, 183 Milton Park, Abingdon, OXON OX14 4SE; VAT No: 630 8236 56
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130221/d1b23d2d/attachment-0001.html

More information about the users mailing list