<LogoutInitiator > message not SAML2 valid

Description

Error message from IDP (RSA FIM) when logout .
Message :
Error message: Exception encountered at the top-level of the profile bean: SAMLObject.fromStream() caught exception while parsing a stream (wrapped: cvc-complex-type.2.4.a: Invalid content was found starting with element 'samlp:SessionIndex'. One of '{"http://www.w3.org/2000/09/xmldsig#":Signature, "urn:oasis:names:tc:SAML:2.0:protocol":Extensions, "urn:oasis:names:tc:SAML:2.0:assertion":BaseID, "urn:oasis:names:tc:SAML:2.0:assertion":NameID, "urn:oasis:names:tc:SAML:2.0:assertion":EncryptedID}' is expected.)

Configuration :

shibboleth2.xml:

<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">

<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>

<LogoutInitiator type="Global"/>

</LogoutInitiator>

Idp Metadata file :

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://idp.athome.com/slo/request/AP" ResponseLocation=" http://idp.athome.com/slo/response/AP"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://idp.athome.com/slo/request/AP" ResponseLocation="http://idp.athome.com/slo/response/AP"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://idp.athome.com/renb" ResponseLocation="http://idp.athome.com/slo/response/AP"></md:SingleLogoutService>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp.athome.com/soap/services/SAMLMessageProcessor/AP">
</md:SingleLogoutService>

Environment

redhat 4

Attachments

1

Activity

Omar Oueslati June 6, 2008 at 6:21 PM

Ok, I'll try that and tell you. thanks again

Scott Cantor June 6, 2008 at 5:40 PM

Found the bug. To work-around this, you can set encryption="front" instead of omitting it or using false, to turn on NameID encryption. I didn't notice it because my testing was with that set. Unencrypted IDs aren't attached to the message properly.

Scott Cantor June 6, 2008 at 5:29 PM

Yep, sorry. I saw the XML at the end, but not the response.

Omar Oueslati June 6, 2008 at 5:26 PM

i guess in the logfile attached you have that no ?

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created June 6, 2008 at 10:25 AM
Updated August 13, 2008 at 11:01 AM
Resolved June 6, 2008 at 5:44 PM