Error message from IDP (RSA FIM) when logout . Message : Error message: Exception encountered at the top-level of the profile bean: SAMLObject.fromStream() caught exception while parsing a stream (wrapped: cvc-complex-type.2.4.a: Invalid content was found starting with element 'samlp:SessionIndex'. One of '{"http://www.w3.org/2000/09/xmldsig#":Signature, "urn:oasis:names:tc:SAML:2.0:protocol":Extensions, "urn:oasis:names:tc:SAML:2.0:assertion":BaseID, "urn:oasis:names:tc:SAML:2.0:assertion":NameID, "urn:oasis:names:tc:SAML:2.0:assertion":EncryptedID}' is expected.)
Found the bug. To work-around this, you can set encryption="front" instead of omitting it or using false, to turn on NameID encryption. I didn't notice it because my testing was with that set. Unencrypted IDs aren't attached to the message properly.
Scott Cantor
June 6, 2008 at 5:29 PM
Yep, sorry. I saw the XML at the end, but not the response.
Omar Oueslati
June 6, 2008 at 5:26 PM
i guess in the logfile attached you have that no ?
Error message from IDP (RSA FIM) when logout .
Message :
Error message: Exception encountered at the top-level of the profile bean: SAMLObject.fromStream() caught exception while parsing a stream (wrapped: cvc-complex-type.2.4.a: Invalid content was found starting with element 'samlp:SessionIndex'. One of '{"http://www.w3.org/2000/09/xmldsig#":Signature, "urn:oasis:names:tc:SAML:2.0:protocol":Extensions, "urn:oasis:names:tc:SAML:2.0:assertion":BaseID, "urn:oasis:names:tc:SAML:2.0:assertion":NameID, "urn:oasis:names:tc:SAML:2.0:assertion":EncryptedID}' is expected.)
Configuration :
shibboleth2.xml:
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Global"/>
</LogoutInitiator>
Idp Metadata file :
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://idp.athome.com/slo/request/AP" ResponseLocation=" http://idp.athome.com/slo/response/AP"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://idp.athome.com/slo/request/AP" ResponseLocation="http://idp.athome.com/slo/response/AP"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://idp.athome.com/renb" ResponseLocation="http://idp.athome.com/slo/response/AP"></md:SingleLogoutService>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp.athome.com/soap/services/SAMLMessageProcessor/AP">
</md:SingleLogoutService>