disable signing of LogoutRequest

Question

I am currently working on a small ASP.NET project involving authentication of users against a 3rd party identity provider. Currently logins work, logouts don't.

I am using the WIF SAML 2.0 extension to handle the SAML protocol.

The 3rd party IdP does not require signed LogoutRequests from the service provider. However by default, the WIF SAML extension requires me to sign such requests.

Question:

• Is there a way to disable signing of LogoutRequests?

Another library, OpenAM, has an interesting attribute in its extended service provider metadata:

<Attribute name="wantLogoutRequestSigned">
        <Value>false</Value>
</Attribute>

Is there a similar attribute available in WIF?

Any pointers would be deeply appreciated.

Answer 1

So, assuming this is SP-Init SLO, and you are using the POST or Redirect binding to send the LogoutRequest to the IDP, the SLO Profile says you must digitally sign the Request. See Sect 4.4.3.1, lines 1223-1224:

"The message MUST be signed if the HTTP POST or Redirect binding is used."

Not sure if WIF will allow you to generate a non-compliant message for SLO or not. I'm guessing that the OpenAM setting is for testing purposes only (or SOAP Binding) and that WIF doesn't have a similar option.

I know I didn't answer your question directly but HTH anyway - Ian