OneLogin and SLO?
JVilhuber at absolute.com
Tue Jul 10 07:12:03 EDT 2018
I was wondering if anyone successfully managed to set up SLO with OneLogin (I'm using one of their free test setups in the cloud, in case that matters). They do not support uploading of the SP Certificate (either separately nor via SP Metadata), meaning they don't really validate the LogoutRequest (we tested by sending an unsigned LogoutRequest, and it was processed successfully), nor do they sign the LogoutResponse (resulting in a "Security of LogoutResponse not established." error from shibboleth).
I previously asked them (via support case) about this, and they suggested I put the logout URL (as opposed to the SLO Endpoint URL) into the OneLogin configuration, which strikes me as an insecure work-around, and doesn't address the lack of signing of their LogoutResponse or validation of the LogoutRequest. They also suggested I turn off validation on my end to avoid the error (which... you know... really?!).
Is there some magic I'm missing? Can someone share a success story (and config examples)?
Alternatively, am I overreacting, and the lack of validation and signing of the Logout messages isn't a big deal?
More information about the users