SLO/POST SingleLogout Service issue on Shibboleth 2.6 SP

Martinico martinico at gmail.com
Tue Oct 17 08:16:06 EDT 2017 

Hello dear list,
After some months of research I've been able to implement successfully a
SingleSignOn that I'm integrating into a local Seafile server.
Since they don't have a Logout yet, I decided to implement my own. So that
said, I can already do it in shibboleth 2.5.2, SSO works, I get a valid
Session and so on. SingleLogout on 2.5.2 works posting the following SAML
to SLO/POST with a correct response :
Global Logout

*Status of Global Logout:* Logout completed successfully.

Now when I switch to another server where shibd -v  is 2.6 the same setup,
sending this SAML:
<LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
               ID="_e3c6e9137ea52ab86c7d54502bdaf466cc04e432fd"
               Version="2.0"
               IssueInstant="2017-10-17T11:51:23Z"
               Destination="https://storage/Shibboleth.sso/SLO/POST"
               >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://luckycloud.dev/sso/metadata</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference
URI="#_e3c6e9137ea52ab86c7d54502bdaf466cc04e432fd">
                <ds:Transforms>
                    <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />

<ds:DigestValue>b5xHrw/y3YB5yOZ/jZcOqNbHqe8=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>CERT SIGNATURE</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>CERT CONTENTS</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                 >martinico at gmail.com</saml:NameID>
</LogoutRequest>

*Delivers this response: *
opensaml::FatalProfileException
SAML response reported an IdP error.

Error from identity provider:

    Status: urn:oasis:names:tc:SAML:2.0:status:Requester
    Sub-Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied
    Message: Error processing request.

In the log says anything more. So I'm quite lost in the cloud here. I
already teared many of my hairs out.
Can someone guide me on what I'm doing wrong in the IDP side for a
LogoutRequest for 2.6 ?

Metadata config looks like this:
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://storage.local/Shibboleth.sso/SLO/POST" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://storage.local/Shibboleth.sso/SAML2/Post-SimpleSign"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://sso.local/login"/></IDPSSODescriptor>

Many thanks in advance! And please tell me if I need to supply any
additional details.
-- 
Martin
Fasani.de <http://fasani.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171017/3e65ce40/attachment.html>

More information about the users mailing list