SLO Problems

Cantor, Scott cantor.2 at
Tue Apr 16 09:27:33 EDT 2019

On 4/16/19, 9:10 AM, "users on behalf of Darren Boss" <users-bounces at on behalf of darren.boss at> wrote:

> I'm having no luck with SLO either and it also seems related to CSP configuration issues.

I don't know CSP so I have no insight other than to continue to point out that the SAML SLO and propagation flow paths are not configured in web.xml to apply those headers in the responses. If the parent frame's *own* option headers affect things, then I have no idea how that's supposed to work, but web.xml is where the paths impacted are set and it's possible to exclude more of them, aside from simply changing the headers.

It also doesn't work like this during testing.

> I was thinking about starting a new thread but I feel like my setup might be similar to Bob's. We have a fairly new
> deployment that doesn't have a huge amount of configuration legacy so should be pretty simple to get SLO working.

There is nothing simple about SLO.
> Refused to display 'https://myidpurl/idp/profile/PropagateLogout?SessionKey=1' in a frame because an ancestor
> violates the following Content Security Policy directive: "frame-ancestors 'none'".

If the ancestor's frame options impact child frames inside the actual page with the headers, then a solution is to exclude the non-SAML logout path from the web.xml configuration that applies the response headers. The SAML paths are already unlisted.

I've tested with Chrome in the past with the headers in place, and I don't believe that to be true but perhaps it changed. It should prevent framing of that page *itself*, not the child frames it creates. But the web and I don't get along so I probably don't understand how any of it works.

> I had been migrating configuration so I was missing the commented out configuration for frameoptions and scp.

That would default them, and the defaults are non-empty.

Setting the properties works and you can trace the requests yourself to verify what they're being set to. Setting them to an empty value will prevent the header from appearing.
-- Scott

More information about the users mailing list