IDP SLO endpoint confusion

Wessel, Keith William kwessel at illinois.edu
Thu Jun 6 12:06:25 EDT 2013


Scott,

The LocalLogout handler defined in the handler.xml that shipped with 2.4.0 seems to have a requestPath value of /Logout, not /LocalLogout. Are we talking about the same thing here? Just making sure.

I was also suspecting that the SP wasn't using the ASLO extension. The log doesn't seem to indicate one way or the other, though, which leads me to believe further that it isn't. I see this in the idp-process.log when I log out from the SP via /idp/profile/SAML2/Redirect/SLO:

10:54:14.576 - INFO [Shibboleth-Access:73] [session=9f00756e0cdf508372714919114a63f21b8eecd310622486fcc87f81e0cf4c45] - 20130606T155414Z|192.17.24.50|shib-test-idp.cites.illinois.edu:443|/profile/SAML2/Redirect/SLO|
10:54:14.756 - INFO [edu.internet2.middleware.shibboleth.idp.profile.saml2.SLOProfileHandler:178] [session=9f00756e0cdf508372714919114a63f21b8eecd310622486fcc87f81e0cf4c45] - Invalidating session identified by LogoutRequest: 9f00756e0cdf508372714919114a63f21b8eecd310622486fcc87f81e0cf4c45

It's clearly triggering the first part, but not the second part that's associated with ASLO, or I wouldn't be redirected back to the SP.

Doesn't look like any advanced configuration exists in the shibboleth2.xml. BTW, it's version 2.5.0, now 2.5.1, on the SP, if that makes a difference. But the only mention of logout in the shibboleth2.xml is the actual logout tag, no logout initiators and thus, I would assume, nothing to turn off the default value of true for ASLO.

Anything else I can check on the SP to ensure that ASLO is being used?

Keith

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, June 06, 2013 9:23 AM
To: Shib Users
Subject: RE: IDP SLO endpoint confusion

> I'm back to working on our IDP SLO support, and I'm either misunderstanding
> something or have something misconfigured. I can specify my
> singleLogoutService endpoint in metadata as /idp/profile/Logout,

You mean /LocalLogout? I think that's what I defaulted it to, though you can change it.

> but I'm
> pretty sure I'm not supposed to call that directly.

It's not meant to be in metadata, that's not a standard profile, it's for local use. The SAML endpoint for the partial logout support is what would be in metadata (or not, I think it might end up causing lots of trouble initially, but that's the long term state).

> When I do, the session
> does seem to get terminated, but I'm not able to display info from the login
> context such as the entity ID of the requesting SP that initiated the SLO
> request. In fact, my JSP generates a null pointer exception.

That's not a SAML endpoint, there's no requester, no nothing. It's just a cookie clearing handler, at the root of it. The only reason it's inside the code base like that is to allow the actual session to be purged, and to support Velocity templates.

> So, I tried changing the singleLogoutService endpoint to
> /idp/profile/SAML2/Redirect/SLO. This one terminated my IDP session also,
> but it redirected me back to the SP to display a logout page. Since this is SP
> V2.5.1, I would expect the ASLO extension support to kick in and the IDP to
> not try and return control to the SP. But that doesn't seem to be happening.

That's not what I observe while testing, so I suspecy either the extension's not there, or you think it's hitting the IdP and it's really not, just hitting the local logout hook in the SP. What does it actually say in the log?

> Which endpoint should I be calling if I want my IDP session destroyed and a
> page to be displayed from the IDP and also want to be able to access the
> request passed in? If my first attempt was correct and loginContext should
> be available, I certainly must be doing something wrong to get a null pointer
> exception.

The latter, but you definitely have to start at the SP to use that endpoint.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list