Encrypting NameID's and Signing Logout Messages

Nate Klingenstein ndk at signet.id
Wed May 15 19:18:09 EDT 2019


We have a very surprising amount of testing going on using SLO on SAMLtest.  Most of these SLO requests are not signed and many use a NameID rather than an EncryptedID.  Naturally, they fail.

The reasons for signing and encrypting assertions is obvious, and the same reasons would apply to front-channel SLO requests.  But to some extent, the arguments that apply to not signing front-channel AuthnRequests also apply: there isn't much damage that can be done by forging a LogoutRequest other than being annoying and potentially losing sessions and data in applications.

Not downplaying the significance of that, but looking for interoperability, how many people here would break my knuckles for setting idp.logout.authenticated to false on SAMLtest and relying on TLS?  Given that it's just SAMLtest, I think it would be fine, although I've been trying hard to toe the line between nudging people towards specification compliance and successful deployment.

I'll be under the bed,

More information about the users mailing list