SP SAML2 Logout

Cantor, Scott cantor.2 at osu.edu
Wed Apr 13 11:35:21 EDT 2016

On 4/13/16, 11:25 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

>> I did add the <error> tag to the shibboleth2.xml to get rid of the 505 error, but is there a way to avoid the error altogether?
>The error is because the LogoutResponse contained a SAML status code indicating it was an error, and what you do with errors is up to you.
>The SP should be displaying the logout result template IIRC.

It's not, actually, I looked at the code and it's throwing out to the general error behavior if the status doesn't check out. That's a bit of a debateable outcome I would say, but the error handling in the SP has always been terrible, and logout has always been worse, so the combination is pretty ugly.

I don't know that there's a way to distinguish between an error coming from a LogoutResponse and one from a SSO Response, which isn't all that helpful. In general, any reasonable error handling in the SP involves the redirectErrors option to pass off to a script of some kind, but even there I don't know that one could do anything useful, it would be interesting to see what the parameters passed to it would be.

Just being honest here.

None of that has anything to do with IIS turning a response from the SP into some totally unrelated error page, which is I'm sure what it's doing.

-- Scott

More information about the users mailing list