SLO with wso2is, idp not including Issuer in LogoutRequests

StackOverflow https://stackoverflow.com/questions/22930036

Question

I am using wso2is as idp and 2 applications as sp in this setup. one of the applications uses java, spring-security-saml-extension, the other one php and simplesamlphp. SSO is working good, but i cannot get SLO working.

what i do is:

  1. login in both sp-s
  2. do a logout in 1st sp
  3. watch wso2 log and see that wso2is sent a logoutrequest to the 2nd sp
  4. 2nd sp fails to read logoutrequest

simplesamlphp error message:

SimpleSAML_Error_BadRequest: BADREQUEST('%REASON%' => 'Received message on logout endpoint without issuer.')

saml2 LogoutRequest issued by the idp:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest ID="ljknoccfdhjcgelcpmbicffooeokboficpggcmpi"  IssueInstant="2014-04-08T06:45:19.944Z" NotOnOrAfter="2014-04-08T06:50:19.944Z" Reason="urn:oasis:names:tc:SAML:2.0:logout:user" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">EXAMPLE.AT/test01@domain.com</saml2:NameID>
    <saml2p:SessionIndex>5f14fc6e-1c31-42e1-b7c2-e1501bf400a8</saml2p:SessionIndex
</saml2p:LogoutRequest>

The saml2 SLO-Profile specification below clearly states in chapter 4.4.4 on line 1294:

The <Issuer> element MUST be present and MUST contain the unique identifier of the requesting entity

as I understand this the wso2is acting as the Idp should be the Issuer here, but it fails to include its id in the message.

Any hint on what i am doing wrong? i cannot imagine that this is a wso2is bug!

http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Was it helpful?

Solution

As you found in the specification, the Issuer element is mandatory. SP uses it to identify the sender. Without it SP would have to start guessing who sent the message, as it might be connected to many IDPs at the same time. The issue should be reported as a bug to wso.

OTHER TIPS

This is fixed in the upcoming Identity Server 5.1 release.
https://wso2.org/jira/browse/IDENTITY-2714

I am currently using 5.0.0 and ended up patching a number of things such as this so I could have the functionality I needed. It wasn't too bad to do once you get oriented. You'd need to patch the 'org.wso2.carbon.identity.sso.saml' component in the 'identity' module of carbon platform's 4.2.0 chunk11.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top