SLO question
Peter Schober
peter.schober at univie.ac.at
Mon Jul 14 10:15:57 EDT 2014
* Ulrich Leodolter <ulrich.leodolter at obvsg.at> [2014-07-14 08:10]:
> then i was interested in testing the SLO as described at
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO
> login/logout from single SP1 works fine, no wonder :)
> then i tried to login (single browser) from SP1 and SP2 to my
> testing IdP. after login to both the first logout from SP1
> results in *Partital Logout*, that seems reasonable.
>
> but the second logout from SP2 results in:
> ---
> opensaml::FatalProfileException at
> (https://sp2.my.domain/Shibboleth.sso/SLO/Redirect)
>
> SAML response reported an IdP error.
>
> Error from identity provider:
>
> Status: urn:oasis:names:tc:SAML:2.0:status:Requester
> Sub-Status: urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal
> ---
>
> the information provided seems reasonable too, but i am unsure
> if i have configured everything ok.
Do the logout requests from the SPs contain the async-slo extension?
I'm guessing not (which would indicate you should maybe upgrade to the
SP's new <SSO> element syntax), because in that case you'd end up at the
IdP's logout.jsp template with the message "NONE FOUND".
So that'd be slightly different behaviour, but essentially the same result:
The IDP does not have the session you're trying to logout with (from
SP2), as it already terminated it when logging out from SP1.
Not sure from the top of my head whether the behaviour changes if you
include a return parameter to the SLO initiator.
-peter
More information about the users
mailing list