OneLogin and SLO?

Jan Vilhuber JVilhuber at
Mon Jul 23 05:08:41 EDT 2018

To close the loop on this: I filed a support request with OneLogin asking them for comment, pointing out that (in my opinion) there's a security hole in their product's handling of the SAML SLO messages (they neither check the signature of the LogoutRequest, nor do they sign the LogoutResponse), and they essentially (in so many words) said "We don't care. You can file an enhancement request, and if enough people vote on it, we might implement it."

I do agree that SLO is poorly understood by product owners and customers and shouldn't be used like an 'old style logout button'. But that appears to be an uphill (up-cliff?) battle.

> -----Original Message-----
> From: users <users-bounces at> On Behalf Of Cantor, Scott
> Sent: Tuesday, July 10, 2018 7:51 PM
> To: Shib Users <users at>
> Subject: RE: OneLogin and SLO?
> > Alternatively, am I overreacting, and the lack of validation and
> > signing of the Logout messages isn't a big deal?
> We simply follow the standard, which isn't ambiguous on this question. If you
> want a rationale I can manage a poor one (*), but ultimately, my attitude is that
> once an implementation decides it knows better than the standard what should
> be done I can guess that they have decided they know better about things that
> are probably much more important and aren't so easy to let slide.
> -- Scott
> (*) Technically the reason is that the report of whether logout succeeded or not
> would have significant impact on the UI presented to the user and has to be
> trustworthy (making the response more crucial to sign than the request), but in
> practice logout never works reliably anyway and we don't really believe the SP
> should be presenting that UI, so that's a fairly poor rationale. Even worse, the
> Shibboleth IdP doesn't even have a way to know whether logout was complete
> or partial by the time it responds, so its responses aren't even strictly accurate.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list