Problem with SLO using Azure as IdP and Shibboleth as SP

Anderson, Paul Paul.Anderson at hw.ac.uk
Tue Dec 14 14:41:43 UTC 2021 

There was a message on this list in February :
"Has anyone ever had success getting SLO to work with Azure?"
I'd like to repeat the same question, as I am having problems.

I sign using my Azure IdP, and can see in my Shib SP's shibd.log a session index in the AuthnStatement and later 'new session created'.

When I go to myapps.microsoft.com and logout, I see the browser's GET request to the Shib SP's ...../SLO/Redirect containing the LogoutRequest, which has a nameId and matching session index matching the login.
But the request gets rejected and there is a LogoutResponse towards the IdP containing "RequestDenied". The result is that the corresponding SP session that was created earlier does not get cleared.

Has anyone else experienced this? When I use ADFS as IdP, SLO works fine and logs that the SP session is being cleared. (ADFS sends the login assertion encrypted but otherwise the message exchange is similiar).
What incoming data mismatches can cause 'RequestDenied'? I'll maybe have to look at the SP source code if I can't enable further trace detail. The logoutrequest message validates on the SAML tools site so it seems the devil is in the detail.

________________________________

Founded in 1821, Heriot-Watt is a leader in ideas and solutions. With campuses and students across the entire globe we span the world, delivering innovation and educational excellence in business, engineering, design and the physical, social and life sciences. This email is generated from the Heriot-Watt University Group, which includes:

  1.  Heriot-Watt University, a Scottish charity registered under number SC000278
  2.  Heriot- Watt Services Limited (Oriam), Scotland's national performance centre for sport. Heriot-Watt Services Limited is a private limited company registered is Scotland with registered number SC271030 and registered office at Research & Enterprise Services Heriot-Watt University, Riccarton, Edinburgh, EH14 4AS.

The contents (including any attachments) are confidential. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211214/a58a6bc6/attachment.htm>

More information about the users mailing list