Problem with SLO using Azure as IdP and Shibboleth as SP

Anderson, Paul Paul.Anderson at
Tue Dec 14 18:15:19 UTC 2021

After the logged LogoutRequest message there is the line:
"signature verified against message issuer"

I only see Assertion signing info (for the login) in signature.log but maybe there's a way to enable logging of message signature processing to confirm the above.

The shibd.log section (filtered for the main bits of the exchange) is attached. I don't notice anything obviously weird in it. The nameID doesn't have explicit IdP or SP qualifiers - that's about it (but other IdPs - such as ADFS - are also flaky about that and SSO/SLO work fine).

Does anything leap out at anyone? Or has anyone had the same problem? Or can anyone confirm that SLO works with Azure and so our setup is faulty?

From: Cantor, Scott <cantor.2 at>
Sent: 14 December 2021 14:46
To: Shib Users <users at>
Cc: Anderson, Paul <Paul.Anderson at>
Subject: Re: Problem with SLO using Azure as IdP and Shibboleth as SP

Caution: This email originated from a sender outside Heriot-Watt University.
Do not follow links or open attachments if you doubt the authenticity of the sender or the content.

The most likely/simple answer is that the request isn't signed, but the SP will log that quite clearly.

-- Scott


Founded in 1821, Heriot-Watt is a leader in ideas and solutions. With campuses and students across the entire globe we span the world, delivering innovation and educational excellence in business, engineering, design and the physical, social and life sciences. This email is generated from the Heriot-Watt University Group, which includes:

  1.  Heriot-Watt University, a Scottish charity registered under number SC000278
  2.  Heriot- Watt Services Limited (Oriam), Scotland's national performance centre for sport. Heriot-Watt Services Limited is a private limited company registered is Scotland with registered number SC271030 and registered office at Research & Enterprise Services Heriot-Watt University, Riccarton, Edinburgh, EH14 4AS.

The contents (including any attachments) are confidential. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace
Type: application/octet-stream
Size: 10263 bytes
Desc: trace
URL: <>

More information about the users mailing list