OneLogin and SLO?

Cantor, Scott cantor.2 at
Tue Jul 10 08:50:31 EDT 2018

> Alternatively, am I overreacting, and the lack of validation and signing of the
> Logout messages isn't a big deal?

We simply follow the standard, which isn't ambiguous on this question. If you want a rationale I can manage a poor one (*), but ultimately, my attitude is that once an implementation decides it knows better than the standard what should be done I can guess that they have decided they know better about things that are probably much more important and aren't so easy to let slide.

-- Scott
(*) Technically the reason is that the report of whether logout succeeded or not would have significant impact on the UI presented to the user and has to be trustworthy (making the response more crucial to sign than the request), but in practice logout never works reliably anyway and we don't really believe the SP should be presenting that UI, so that's a fairly poor rationale. Even worse, the Shibboleth IdP doesn't even have a way to know whether logout was complete or partial by the time it responds, so its responses aren't even strictly accurate.

More information about the users mailing list