Menu
▾
▴
Re: [Unity-idm-discuss] SAML Single Logout with Unity IDP and Shibboleth SP
|
From: Krzysztof B. <kb...@un...> - 2018-05-09 21:46:42
|
Hi, W dniu 07.05.2018 o 19:09, D Baum pisze: > Hi, > > SSO works fine between my Unity IDP and Shibboleth SP now - but > unfortunately SAML Logout doesn't and I'm not even sure where the > problem comes from. > > If I set > unity.saml.spAcceptPolicy=validRequester > on the Unity IDP, it complains about unsigned LogoutRequests. Cut from > the attached log file: > eu.unicore.samly2.exceptions.SAMLRequesterException: SAML document is > not signed and the policy requires a signature > at > eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:87) > ~[samly2-2.3.3.jar:2.3.3] > > However, the Shibboleth SP is configured with > > <Logout signing="true" encryption="false">SAML2 Local</Logout> While looking at your attached log it seems that Unity receives an unsigned request. I don't know details of your config - for validRequester have you configured trusted URLs (unless you use metadata to configure SLO)? You have an example at the very end of http://www.unity-idm.eu/documentation/unity-2.4.0/saml-howto.html#_using_single_logout_slo Also one more hint: for redirect binding signing most likely won't be performed by initiating side: request would be too large for encoding into URL. HTH, KB |
