SLO Problems

Bob Allison shib at
Mon Apr 15 20:43:20 EDT 2019

To get my environment up and running, I am running a single instance of IdP v3.4.3 and a single Apache instance connected to SP 3.0.4.

I have gotten everything configured so that the IdP logout page asks if I want to logout all my SP sessions and lists the SP as someplace I have visited during the session. I have been avoiding changing any of the views until I can get the basic functionality working.

When I click the "Yes" button, the attempt to log out of the SP session immediately fails. In the browser's console, I see the following two messages (I removed the SAML response from the first message as its probably not a part of the problem):
>> Refused to load because it does not appear in the frame-ancestors directive of the Content Security Policy.
>> Sandbox access violation: Blocked a frame at "" from accessing a frame at "null".  The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

When I tried to set values in idp.frameoptions and idp.csp to adjust the frame options, the values I placed in the properties appears to be ignored.

Does anyone have some pointers on how to make this work? I have been searching through the documentation but I seem to be missing something important.

There are two other things on my to-do list for desired functionality, any pointers on these would also be appreciated:
>> Get the SP to notify my application of the logout so it can clear its session (I am failing to be able to place a <Notify /> tag in the right place)
>> Adjust the logout process so that, as I see at most of the banks and health care sites I visit, the SAML SLO is a series of blank pages ending with a page that just says "You are logged out. Please close your browser."

More information about the users mailing list