wso2is 5.0 - Destiantion attribute is not set for LogoutResponse

Question

Im trying to set up wso2is as an IdP. Liferay acts as SP.

Signing in is done successfully. My actual problem is - there is no 'destination' attribute set in LogoutResponse so liferay saml-portlet is throwing:

    14:12:26,779 ERROR [http-bio-8080-exec-18][BaseSamlStrutsAction:45com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present
com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present
    at com.liferay.saml.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:166)
    at com.liferay.saml.profile.WebSsoProfileUtil.processResponse(WebSsoProfileUtil.java:50)
    at com.liferay.saml.hook.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:38)

So here is my actual LogoutRequest:

<saml2p:LogoutRequest Destination="https://localhost:9443/samlsso"
    ID="_22d8ba65fc7ffdbc63d9d45ddea3e420ebc53373" IssueInstant="2014-07-30T13:16:33.576Z"
    Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferaysamlspdemo</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_22d8ba65fc7ffdbc63d9d45ddea3e420ebc53373">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>A00CJe+mILdS1J9rofdyDWtO+/M=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>[value]
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>[cert data]
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxx</saml2:NameID>
    <saml2p:SessionIndex>436f2982-c96c-4884-a9ea-7b8b4cde13ff</saml2p:SessionIndex>
</saml2p:LogoutRequest>

And the corresponding response:

<saml2p:LogoutResponse ID="hbkakhdacckapfinfncplppndpkhbpihhnfphjoh"
    InResponseTo="_69f6c1f18217d5626f0a76a1b705138d56e5077f" IssueInstant="2014-07-30T14:12:26.651Z"
    Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferaysamlidpdemo</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#hbkakhdacckapfinfncplppndpkhbpihhnfphjoh">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>35a6HRTd3gbqiGhR2RzkRWn+f04=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>[value]
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>[cert data]
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
</saml2p:LogoutResponse>

Now is that a general wso2is problem and it does not include "destination" attribute to LogoutResponse or am i doeing something wrong. I would be great if i could get some help.

Answer 1

In case you are using HTTP-POST binding the standard says:

If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message.

And therefore it would mean that wso2 has a bug.

The Destination attribute is not be required with HTTP-Artifact or SAML SOAP bindings. In case you use one of these, it would mean that there's a problem on the Liferay side.