Ignore SLO fields in IdP metadata
davidgoodwin at gmail.com
Wed Nov 20 21:08:52 EST 2019
I am configuring an application that is using the Shibboleth IIS module and
Service Provider (latest version).
My IdP is an F5 Big-IP which I have full control of. We use this as the IdP
for a number of different services.
I have configured Shibboleth so that authentication is working. I am having
issues getting the logout functionality to work properly. I am NOT trying to
configure SingleLogout - I just want to get local logout working before
concerning myself with the session created between the SP and IdP.
The IdP metadata file generated by the aforementioned appliance contains SLO
fields which I want Shibboleth to ignore. When I head to
https://<domain>/Shibboleth.sso/Logout with the default <Logout>SAML2
Local</Logout> in Shibboleth2.xml, I am redirected to the SLO URL in the IdP
metadata. We do not have this functionality on the appliance configured
properly causing a connection reset and the browser just hangs, never
getting to the logout successful page (unless I go to that URL a couple more
times in succession). The simple solution would be to remove these fields
from the metadata however the file is signed by the appliance and removing
these fields causes Shibboleth to report errors on startup related to the
Is there a way to configure Shibboleth to ignore the SLO fields in the IdP
If not, is there a way to disable the signature requirement by Shibboleth
for the IdP Metadata so that I can export it from the appliance unsigned and
remove the SLO fields (I'm storing the IdP metadata locally on the disk so
the security concern isn't there)? I'm making assumptions here that
Shibboleth is seeing those SLO fields and attempting to use them and that by
removing them from the config file they would be ignored.
If I am way off here or something does not make sense please let me know.
Thank you for your time.
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users