IDP answer to LogoutRequest

Ignacio Amoeiro Bosch ignacio.amoeiro at extern.ibsalut.es
Fri May 7 12:38:48 UTC 2021


Hi Scott,

You say "it makes an attemt to do", but I don't see such attempt in the http tracer nor in the idp-process.log. may be I have something missconfigured?

OFC I understand that is wrong to wait for a response, I will search if it is reported as a bug 

Thanks.

-----Mensaje original-----
De: users <users-bounces at shibboleth.net> En nombre de Cantor, Scott
Enviado el: viernes, 7 de mayo de 2021 14:23
Para: Shib Users <users at shibboleth.net>
Asunto: DMARC ErrorRe: IDP answer to LogoutRequest

On 5/7/21, 6:49 AM, "users on behalf of Ignacio Amoeiro Bosch" <users-bounces at shibboleth.net on behalf of ignacio.amoeiro at extern.ibsalut.es> wrote:

>    Should the IDP answer to every LogoutRequest with a LogoutResponse?

It makes an attempt to do so, but there are lots of reasons it wouldn't. It is explicity wrong to wait for a response to complete the work required on the SP side when that SP initiates the logout. ADFS has the same bug, FWIW (actually a more serious variant where its logout is contingent on getting only total success back from the IdP, which is impossible since partial success is a valid and virtually certain result).

-- Scott


-- 
For Consortium Member technical support, see https://ddec1-0-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwiki.shibboleth.net%2fconfluence%2fx%2fcoFAAg&umid=31095c57-c290-4695-a7de-7b26520d131a&auth=1c980b950b810d2ebe959a136e6fc6796ec23183-3197dc726bc07084207dbc8596b6cf2b3af8d49f
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



More information about the users mailing list