SLO Problems

Cantor, Scott cantor.2 at
Mon Apr 15 21:24:06 EDT 2019

> >> Refused to load
> ponse=... because it does not appear in the frame-ancestors directive of the
> Content Security Policy.

The logout endpoint isn't itself implemented under the denial headers, so that doesn't make any sense unless you have unreleased pre-3.4 code in web.xml that hadn't been corrected to exclude the SLO paths. That was fixed before 3.4.0 was done according to the history in git.

> When I tried to set values in idp.frameoptions and idp.csp to adjust the frame
> options, the values I placed in the properties appears to be ignored.

It does not ignore them, though it's not reloadable.

> There are two other things on my to-do list for desired functionality, any
> pointers on these would also be appreciated:
> >> Get the SP to notify my application of the logout so it can clear its
> >> session (I am failing to be able to place a <Notify /> tag in the right place)

The right place is wherever its documented to go. I have no memory of that, but whatever the schema says and the documentation says is where it goes. I don't think it's very strict.

> Adjust the logout process so that, as I see at most of the banks and health care
> sites I visit, the SAML SLO is a series of blank pages ending with a page that just
> says "You are logged out. Please close your browser."

Full frame redirects are a non-starter. That terminates at the first broken system. Logout is aso not interoperable, the specification does not cover the UI sufficiently to make it work. But propagation is only passably acceptable when it's done with frames, and that means the IdP has to control the UI, and SP to IdP is the only full window redirect expected within the UI implemented by these two software products. The SP is more agnostic about it, but it works well enough because there is no particular UI implemented in it anyway and it clears its own state first before giving up control.

-- Scott

More information about the users mailing list