Menu
▾
▴
[Unity-idm-discuss] SAML Single Logout with Unity IDP and Shibboleth SP
|
From: D B. <ba...@aw...> - 2018-05-07 17:09:33
|
Hi, SSO works fine between my Unity IDP and Shibboleth SP now - but unfortunately SAML Logout doesn't and I'm not even sure where the problem comes from. If I set unity.saml.spAcceptPolicy=validRequester on the Unity IDP, it complains about unsigned LogoutRequests. Cut from the attached log file: eu.unicore.samly2.exceptions.SAMLRequesterException: SAML document is not signed and the policy requires a signature at eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:87) ~[samly2-2.3.3.jar:2.3.3] However, the Shibboleth SP is configured with <Logout signing="true" encryption="false">SAML2 Local</Logout> and says this in its shibd.log: 2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: marshalled message: <samlp:LogoutRequest ...> 2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: signing the message 2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: message encoded, sending redirect to client No signing error in the Shibboleth log... Finally, if I set unity.saml.spAcceptPolicy=all on Unity, logout works without errors. Shibboleth reports: Status of Global Logout: Logout completed successfully. Any hints on what's going wrong here or how I could figure out what's really going on? Cheers, D. |
