SLO/POST SingleLogout Service issue on Shibboleth 2.6 SP

Martinico martinico at
Tue Oct 17 08:16:06 EDT 2017

Hello dear list,
After some months of research I've been able to implement successfully a
SingleSignOn that I'm integrating into a local Seafile server.
Since they don't have a Logout yet, I decided to implement my own. So that
said, I can already do it in shibboleth 2.5.2, SSO works, I get a valid
Session and so on. SingleLogout on 2.5.2 works posting the following SAML
to SLO/POST with a correct response :
Global Logout

*Status of Global Logout:* Logout completed successfully.

Now when I switch to another server where shibd -v  is 2.6 the same setup,
sending this SAML:
<LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
    <ds:Signature xmlns:ds="">
            <ds:CanonicalizationMethod Algorithm="" />
            <ds:SignatureMethod Algorithm="" />
                    <ds:Transform Algorithm="" />
                    <ds:Transform Algorithm="" />
                <ds:DigestMethod Algorithm="" />

        <ds:SignatureValue>CERT SIGNATURE</ds:SignatureValue>
                <ds:X509Certificate>CERT CONTENTS</ds:X509Certificate>
    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

                 >martinico at</saml:NameID>

*Delivers this response: *
SAML response reported an IdP error.

Error from identity provider:

    Status: urn:oasis:names:tc:SAML:2.0:status:Requester
    Sub-Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied
    Message: Error processing request.

In the log says anything more. So I'm quite lost in the cloud here. I
already teared many of my hairs out.
Can someone guide me on what I'm doing wrong in the IDP side for a
LogoutRequest for 2.6 ?

Metadata config looks like this:
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://storage.local/Shibboleth.sso/SLO/POST" />
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="

Many thanks in advance! And please tell me if I need to supply any
additional details.
Martin <>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list