HTTP-POST binding support for SingleLogoutService - IdP remote metadata
152 views
Skip to first unread message
Muhammad Anas
Nov 18, 2015, 11:10:35 AM11/18/15
to SimpleSAMLphp
I am using SimpleSAMLphp as Service Provider with Okta (https://www.okta.com/) as Identity Provider.
IdP metadata provided by Okta contains only one SingleLogoutService tag which looks like this:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-321360.oktapreview.com/app/anasblogdev321360_convostage_1/exk5egk05fWl2Cg290h7/slo/saml"/>
When I logout from the service provider, it does not log me out of Okta and in SimpleSAMLphp logs, I can see a statement like this: "No SingleLogoutService endpoint found for <okta identity id>"
I was wondering if HTTP-POST binding is supported for SLO in SSP?
Any help would be highly appreciated.
Thanks,
Anas
Jaime Perez Crespo
Nov 18, 2015, 3:32:09 PM11/18/15
to simple...@googlegroups.com
Hi Muhammad,
It is, though I wouldn’t be able right now to tell when support started. Just in case, how does your saml20-idp-remote.php file look like? Is there a SLO endpoint in there for Okta?
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Muhammad Anas
Nov 20, 2015, 2:03:33 AM11/20/15
to SimpleSAMLphp
Hi James, Thanks a lot for your response.
I am using SimpleSAMLphp v1.11. In the changelog of v1.12 I can see the following entry:
- Support for the HTTP-POST binding in WebSSO profile.
So, I guess, the issue here is me being behind the latest version. I am currently in the process of upgrading my copy of SimpleSAMLphp to the latest version 1.13.2
If the issue persists after upgrading, I will let you know and will post the contents of saml20-idp-remote.php too.
Best Regards,
Anas
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Jaime Perez Crespo
Nov 20, 2015, 4:02:02 AM11/20/15
to simple...@googlegroups.com
Hi,
> On 20 Nov 2015, at 08:03 AM, Muhammad Anas <anast...@gmail.com> wrote:
> Hi James, Thanks a lot for your response.
Actually it’s Jaime ;-)
> I am using SimpleSAMLphp v1.11. In the changelog of v1.12 I can see the following entry:
>
> • Support for the HTTP-POST binding in WebSSO profile.
If I recall correctly, at that point we added missing support for the HTTP-POST binding for SAML requests, as for SAML responses we obviously had it in place since the beginning. So that should be it, yes.
> So, I guess, the issue here is me being behind the latest version. I am currently in the process of upgrading my copy of SimpleSAMLphp to the latest version 1.13.2
As a rule of thumb, you should always keep up to date with the latest stable version. Not only to stay away from bugs or get the latest functionalities, but also to keep away from security issues. 1.11 is quite old now and a few security issues have been fixed since then.
> On 20 Nov 2015, at 08:03 AM, Muhammad Anas <anast...@gmail.com> wrote:
> Hi James, Thanks a lot for your response.
> I am using SimpleSAMLphp v1.11. In the changelog of v1.12 I can see the following entry:
>
> • Support for the HTTP-POST binding in WebSSO profile.
> So, I guess, the issue here is me being behind the latest version. I am currently in the process of upgrading my copy of SimpleSAMLphp to the latest version 1.13.2
Muhammad Anas
Nov 20, 2015, 4:47:35 AM11/20/15
to SimpleSAMLphp
Oops... I am really sorry for misspelling your name Jaime :)
Okay, great. I am still not done with the upgrade because there were some minor modifications here and there in the library code on our end and I am currently merging them in via Git and resolving some conflicts manually.
I hope this exercise would be fruitful. Will tell you once it is done.
Cheers,
Anas :)
Muhammad Anas
Nov 24, 2015, 8:34:19 AM11/24/15
to SimpleSAMLphp
Finally, I have updated our copy of SimpleSAMLphp to the latest code from master branch. Now, HTTP-POST binding is working perfectly for SLO :)
Just one final question Jaime. Is the code in master branch stable enough to be used in production? Or should we stick to v1.13.2?
I see that v1.1.3.2 was released about an year ago and there had been a lot of commits on master since then.
Jaime Perez Crespo
Nov 24, 2015, 8:44:09 AM11/24/15
to simple...@googlegroups.com
Hi Muhammad!
> On 24 Nov 2015, at 14:34 PM, Muhammad Anas <anast...@gmail.com> wrote:
> Finally, I have updated our copy of SimpleSAMLphp to the latest code from master branch. Now, HTTP-POST binding is working perfectly for SLO :)
I’m glad it worked :-)
> Just one final question Jaime. Is the code in master branch stable enough to be used in production? Or should we stick to v1.13.2?
We usually work in master, and even though we try to keep things working there, some things might break now and then. So you should always stick to the latest stable release in production, unless you are feeling adventurous or you want to help us debugging ;-)
> I see that v1.1.3.2 was released about an year ago and there had been a lot of commits on master since then.
Yes, a huge part of SSP has changed since 1.13.2. For now, nobody should notice those changes, though, since most of them are either unused parts or preparations for a 2.0 release.
Stay tuned!
> On 24 Nov 2015, at 14:34 PM, Muhammad Anas <anast...@gmail.com> wrote:
> Finally, I have updated our copy of SimpleSAMLphp to the latest code from master branch. Now, HTTP-POST binding is working perfectly for SLO :)
> Just one final question Jaime. Is the code in master branch stable enough to be used in production? Or should we stick to v1.13.2?
> I see that v1.1.3.2 was released about an year ago and there had been a lot of commits on master since then.
Stay tuned!
anujnehra...@gmail.com
Apr 14, 2018, 2:09:08 AM4/14/18
to SimpleSAMLphp
Hi Muhammad,
I was trying to implement SingleLogoutService with idp as okta.
Can you show me or guide me how you achieve "HTTP-POST binding is working perfectly for SLO".
Whenever i try to logout okta logs show me as invalid signature auth fail
I was trying to implement SingleLogoutService with idp as okta.
Can you show me or guide me how you achieve "HTTP-POST binding is working perfectly for SLO".
Whenever i try to logout okta logs show me as invalid signature auth fail
Reply all
Reply to author
Forward
0 new messages