Menu
▾
▴
Re: [Unity-idm-discuss] SAML Single Logout with Unity IDP and Shibboleth SP
|
From: Krzysztof B. <kb...@un...> - 2018-05-20 09:50:10
|
W dniu 14.05.2018 o 11:44, D Baum pisze: > Hi, > > On 09/05/18 23:46, Krzysztof Benedyczak wrote: >> While looking at your attached log it seems that Unity receives an >> unsigned request. > Yeah, I'm just not sure what really happens because the Shibboleth logs > kinda "claim" that signing happens: > > 2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: > signing the message > 2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: > message encoded, sending redirect to client > > >> I don't know details of your config - for >> validRequester have you configured trusted URLs (unless you use metadata >> to configure SLO)? You have an example at the very end of >> http://www.unity-idm.eu/documentation/unity-2.4.0/saml-howto.html#_using_single_logout_slo > I'm using metadata and Shibboleth has the following SingleLogoutServices > configured: > > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location="https://shibboleth/Shibboleth.sso/SLO/SOAP"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > Location="https://shibboleth/Shibboleth.sso/SLO/Redirect"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location="https://shibboleth/Shibboleth.sso/SLO/POST"/> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" > Location="https://shibboleth/Shibboleth.sso/SLO/Artifact"/> > >> Also one more hint: for redirect binding signing most likely won't be >> performed by initiating side: request would be too large for encoding >> into URL. > I'm calling https://shibboleth/Shibboleth.sso/Logout, so Shibboleth is > the initiating side (and it not signing would be consistent with the > unity logs). > > So one solution would be to comment out the redirect binding in the > Unity metadata used by Shibboleth, so that Shibboleth uses another > binding to send the SLO request? > Yes, you can try this. Also when debugging SLO try to capture what happens on web browser logs. This is super complex workflow, it is easy to mix up endpoints. Good luck KB |
