IdP v4 SLO issues when wilcard certificates for websites
cantor.2 at osu.edu
Fri Aug 14 11:56:38 UTC 2020
On 8/14/20, 7:17 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
> SOAP logout should only happen as a last resort,
That particular part may be an assumption bordering on "wish" on my part. It's intended to work that way but I believe there are similar issues with picking bindings in other areas that really never worked as intended (like dating back to V2) and I tackled that more recently.
If the SP that's failing has front-channel bindings in place but it's still picking SOAP, that's running into the same issue I worked on fixing to prevent overuse of the Artifact binding. That fix isn't shipping until 4.1 and it's off by default.
It therefore probably operates in metadata order, which is not ideal. If the SP claims to support SOAP it probably will use it if it's earlier in the list. Getting it out of the metadata if it didn't support SOAP* would be choice #1.
All the other options are some mix of "supported/unsupported/no idea where they actually get handled" that will take a while to scrounge up and come up with a test scenario I can use to explore it. I need to do it, because it's an issue, but it won't be immediate.
* I'm *not* saying the wildcard thing means it doesn't support SOAP logout, I'm just applying common sense that almost nothing "really" supports SOAP logout.
More information about the users