SLO HTTP-Redirect endpoint with query-string parameters (/?sls).
Brent Putman
putmanb at georgetown.edu
Mon Sep 3 01:29:21 EDT 2018
On 9/2/18 9:36 PM, Cameron Kerr wrote:
>
>
> Note that the sls query-string argument is missing as received by the SP (although it is there in the Destination attribute), which means the application session is not logged out (the handler does not get hit)
>
>
>
> It doesn't seem to say that the entirely of the query-string argument is reserved for the SAML message, and it does refer to a 'Reserved' query-string parameters such as SAMLEncoding, which would seem to imply that other query-string parameters would be legal; one could even read it that Shibboleth is clearly doing the wrong thing by stripping not including any query-string argument (and fragment, I suppose) in the endpoint URL.
>
> So given the above, it seems that this is a bug in Shibboleth IdP version 3.2.1 (or perhaps OpenSAML). I don't see any mention of this in the issues given in the release notes for later versions.
>
>
Yes, it's a bug that was reported by someone else pretty recently (June
2018). It's fixed in the codebase but not released yet. The fix will
be in OpenSAML and IdP v3.4.0, which is due out soon-ish.
https://issues.shibboleth.net/jira/browse/OSJ-243
More information about the users
mailing list