NativeSP: xmltooling::IOException when processing Logout Response

Rainer Hoerbe rainer at
Sun May 19 17:14:33 EDT 2019

I am struggling to find the cause for this condition:

xmltooling::IOException at (
URL is missing a colon where expected; improper URL encoding?

I suspect that this is caused by an unsolicited RelayState in the LogoutResponse, but I was unable to demonstrate this so far. 

- This occurs when 2 SP session exist, and a LogoutRequest has been sent from the SP that throws this error. 
- The SLO flow with no other active SP session is OK.
- There is no indiction of a problem in shibd.log (xmltooling loglevel=DEBUG)
- The problem happens regardless wether SLO/@asynchronous is true or false.
- I use CentOS7 with shibboleth.x86_64 3.0.4-3.2

The IDP is CA Siteminder. My suspicion is following flaw in the LogoutResponse:
1. Shib SP issues LogoutRequest without RelayState
2. IDP issues LogoutRequest to SP2 with a RelayState
3. IDP sends LogoutResponse with the same RelayState as used for SP2
4. SP fails.

I tried to replicate the issue in my test environment, but my Test-SP with a look-alike shibboleth2.xml always sends a RelayState in the LogoutRequest. 

When I use mitmproxy to doctor the request and replace the original RelayState with a Siteminder-generated one, the SP answers with a security policy exception.

- When will the SP emit RelayState with a LogoutRequest?
- Is the unsolicited RelayState a possible cause for the xmltooling::IOException?
- What is the recommended path to find the cause?

Best regards
Rainer Hörbe

More information about the users mailing list