error on logout in Shibboleth IdP 3.3.1

George Stoynev george.stoynev at mcgill.ca
Fri May 26 14:57:14 EDT 2017 

Hello,

I have tried the patched version of 
system/flows/logout/logout-propagation-flow.xml and got the same warnings.

Here is what I see in the idp-warn.log file (this is before the patch 
but after applying it is the same):

2017-05-25 15:23:32,628 - WARN 
[net.shibboleth.idp.profile.config.AbstractProfileConfiguration:285] - 
ProfileConfiguration 
http://shibboleth.net/ns/profiles/saml2/sso/browser: ServletRequest was null
2017-05-25 15:23:45,909 - WARN 
[net.shibboleth.idp.profile.config.AbstractProfileConfiguration:285] - 
ProfileConfiguration 
http://shibboleth.net/ns/profiles/saml2/sso/browser: ServletRequest was null
2017-05-25 15:23:48,037 - WARN 
[net.shibboleth.idp.profile.config.AbstractProfileConfiguration:285] - 
ProfileConfiguration http://shibboleth.net/ns/profiles/saml2/logout: 
ServletRequest was null

The first warning shows up as soon as the login screen is displayed in 
the browser before logging in. The second one is immediately after 
logging in. The third one is on logout. The functionality doesn't seem 
affected.

Here is my relying-party.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:util="http://www.springframework.org/schema/util"
        xmlns:p="http://www.springframework.org/schema/p"
        xmlns:c="http://www.springframework.org/schema/c"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd"

        default-init-method="initialize"
        default-destroy-method="destroy">

     <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
             </list>
         </property>
     </bean>

     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
                 <bean parent="Shibboleth.SSO" />
                 <bean parent="SAML2.SSO" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <ref bean="Liberty.SSOS" />
             </list>
         </property>
     </bean>

     <bean id="SHA1SecurityConfig" 
parent="shibboleth.DefaultSecurityConfiguration"
p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA1" 
/>

     <util:list id="shibboleth.RelyingPartyOverrides">

         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{
             'https://mysp.example.org/shibboleth'
             }}">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="Shibboleth.SSO" 
p:postAuthenticationFlows="attribute-release" />
                     <bean parent="SAML2.SSO" 
p:postAuthenticationFlows="attribute-release" />
                     <ref bean="SAML2.ECP" />
                     <ref bean="SAML2.Logout" />
                     <ref bean="Liberty.SSOS" />
                 </list>
             </property>
         </bean>
     </util:list>

</beans>


Can't see how the syntax is different than the stock version.

Thank you,

George

On 2017-05-26 11:55 AM, users-request at shibboleth.net wrote:
> Send users mailing list submissions to
> 	users at shibboleth.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://shibboleth.net/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> 	users-request at shibboleth.net
>
> You can reach the person managing the list at
> 	users-owner at shibboleth.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
>     1. Re: error on logout in Shibboleth IdP 3.3.1 (Daniel Lutz)
>     2. Re: WAYF alternatives (Chris Phillips)
>     3. Re: WAYF alternatives (Cantor, Scott)
>     4. Shibboleth 3.3.1 and Duo (privas)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 26 May 2017 14:48:33 +0200
> From: Daniel Lutz <daniel.lutz at switch.ch>
> To: users at shibboleth.net
> Subject: Re: error on logout in Shibboleth IdP 3.3.1
> Message-ID: <7024968f-e715-17c4-71b6-60ebe7e1a127 at switch.ch>
> Content-Type: text/plain; charset=utf-8
>
> Cantor, Scott schrieb am 24.05.17 um 18:24:
>> https://issues.shibboleth.net/jira/browse/IDP-1132
>>
>> You really should be off the legacy relying party file by now in any case.
> While testing logout with different responderIds and security configurations,
> I've found another possible cause for these warnings:
>
> During logout propagation to SPs, the PropagateLogout webflow defined in
> system/flows/logout/logout-propagation-flow.xml probably doesn't expose
> the ProfileRequestContext. This may lead to these warnings.
>
> I've created an issue for this:
>
>    https://issues.shibboleth.net/jira/browse/IDP-1183
>
> I think that the warnings are harmless as long as the default responderId (entityId
> of the IdP) and the default security configuration are in use.
>
> - Daniel
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170526/a5a9b4cf/attachment-0001.html>

More information about the users mailing list