Thanks, gentlemen. It’s quite possible that the vendor SPs calling the logout URL aren’t passing any parameters. I’ll check logs on that. If so, and IIRC, doesn’t the logout endpoint consult session cookies to know what session to terminate? Or is it really only a true SAML logout that responds to a passed-in request?
I’m only questioning this because, as I stated previously, this was working a few weeks ago for these very SPs.
Just to help me further understand, is this error coming from the SimpleSAMLphp IdP portion of my proxy IdP or the SP portion? I assumed that the Proxy IdP took the request, identified the session, and handed it to the SSP SP that it used to initiate the session, and that SP in turn sent the logout request on to the originating IdP. Is that right? And is this error happening in the SSP IdP or the SSP SP? I realize that the SP is just an authentication mechanism for the IdP, but I’m trying to understand the issue.
Keith
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I’m still searching the archives, but I’ve determined that Apache’s not doing any rewriting of or redirecting of the logout URL. And, looking at the log, it looks like these vendors aren’t sending any get params in the request of type get. They’re just calling the logout URL, like IDP-initiated logout.
And according to the docs, calling /simplesaml/saml2/idp/SingleLogoutService.php with no parameters should work.
So, I’m still confused by this error.
I’ll keep digging.
Keith
Ah-ha!
Has the ReturnTo parameter always been required for the SingleLogoutService.php endpoint if a get or post SAML logout request isn’t included? If I include a ReturnTo parameter, logout works!
Is there a reason that SSP can’t do an IdP-initiated logout without a ReturnTo param, just passing the user to the default SSP logout page in its absence?
Keith
From: Keith Wessel [mailto:kwes...@gmail.com] On Behalf Of Keith Wessel
Sent: Thursday, November 16, 2017 8:52 AM
To: simple...@googlegroups.com