SAML2 SLO SP initiated

[Fabio Martelli]

Hi All, I have some trouble with SAML2 SLO.

It seems that my IdP CAS 5.2.X does not provide any SAML logout response
to the SP sending SLO request to it.

What am I missing? Is there any particular configuration to be provided?
Does not CAS IdP support SP initiated?

Thank you in advance for your help.

Kind regards,

F.

--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email&pk_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

[Fabio Martelli]

Il 12/09/2018 17:20, Fabio Martelli ha scritto:

Hi All, I have some trouble with SAML2 SLO.

It seems that my IdP CAS 5.2.X does not provide any SAML logout response to the SP sending SLO request to it.

What am I missing? Is there any particular configuration to be provided? Does not CAS IdP support SP initiated?

Thank you in advance for your help.

Kind regards,

F.

Hi, looking into the code I found the abstract class AbstractSamlSLOProfileHandlerController [1].

If I correctly interpreted its implementation, the SLO request handling will result into a redirect to the path /cas/logout.

In this way, a logout response will never be provided to the calling SP. As far as I know, this is in contrast with SAML2 SLO specifications.

Assuming that my analysis is correct, is there the possibility that this behavior will be fixed in the future? I'm a bit worried about the fact that the master provides the same implementation ...

Please, let me have your feedback about.

Regards,

F.

[1] https://github.com/apereo/cas/blob/v5.2.7/support/cas-server-support-saml-idp/src/main/java/org/apereo/cas/support/saml/web/idp/profile/slo/AbstractSamlSLOProfileHandlerController.java#L101

[Misagh Moayyed]

Your analysis is correct. I believe more recent versions of 6 handle this scenario.