Single Logout Profile

Question

I am sending a LogoutRequest from SP initiated SLO to IdP. Ping is used as Identity Provider and on Ping I am getting the error which says "Signature Required" while there is a signature in the LogoutRequest. So I found on some research that if Redirect Binding is used Signature should be sent as a query parameter. How do I change the Binding Protocol of LogoutRequest to Http-POST ?

http://idpendppointURL.com/idp/SLO.saml2?SAMLRequest="...."&RelayState="...."

How do I add Signature as Query Parameter when the length of URL is getting really long for REDIRECT binding?

Edited on 12th May 2014 9:54 PM CST

I figured out about adding Signature as a query parameter from Oasis specification SAML SLO specification , but now I get the error "Invalid Signature" from Ping.

Answer 1

You can find all details on how to send messages using different bindings in the SAML 2.0 bindings part of the SAML 2.0 standard.

For details on how to attach signature to a message sent using HTTP-Redirect binding see chapter 3.4.

The supported length of redirect URL is unpredictable and HTTP-Redirect should only be used for relatively small messages. As you need to fit in more data, you'll have to switch to another binding, such as HTTP-POST.

In order to implement the HTTP-POST binding, you will need to change the way your application sends the message by following rules which are again defined in the standard (chapter 3.5).

You might also consider using one of the SAML libraries which simplify the task of implementing SAML 2.0 functionality and include support for all the bindings, such as OpenSAML, Spring SAML, or tools provided by Ping.

The "Invalid Signature" error you're getting means what it says - the signature wasn't correctly constructed. If you want to write the signature creation from scratch, make sure to follow the instructions exactly as defined in the standard, any small mistake will make your implementation invalid.