Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Global logout and front-channel notification complaining about missind entityID in logout response

Description

The problem is that when using global logout and front-channel notification, this results in a error saying "Application notification loop did not return entityID for LogoutResponse.". Using the same configuration and the same flow with local Logout (<LogoutInitiator type="Local"/>) things seem to work perfectly (See local logout logs).

shibboleth2.xml
[..]
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
</LogoutInitiator>
[..]
<Notify
Channel="front"
Location="https://ebulobo.switch.ch/moodle/auth/shibboleth/logout.php" />

Flow:
0. Clear all cookies
1. Access Moodle: https://ebulobo.switch.ch/moodle/
2. Select SimpleSAML IdP in Moodle integrated WAYF (https://ebulobo.switch.ch/moodle/auth/shibboleth/login.php)
3. Authenticate at IdP (use is authenticated and back in Moodle https://ebulobo.switch.ch/moodle/)
4. Access some course in Moodle (just for fun)
5. Then logout out (https://ebulobo.switch.ch/moodle/login/logout.php?sesskey=XwKJQTreP7)
6. This will lead to a SP error message on (https://ebulobo.switch.ch/Shibboleth.sso/SLO/Redirect?notifying=1&index=1) saying:
opensaml::FatalProfileException at (https://ebulobo.switch.ch/Shibboleth.sso/SLO/Redirect)
Application notification loop did not return entityID for LogoutResponse.

See attached log files of shibd, apache access and browser (created via FF Live Headers extension)

Environment

Host: Debian, Etch, Apache 2.2
SP: Shibboleth SP 2.1
IdP: SimpleSAML PHP

Attachments

2
  • 20 Mar 2009, 05:17 AM
  • 20 Mar 2009, 05:16 AM

Activity

Show:

lucy November 16, 2010 at 9:07 AM

The location in the front-channel Notify element is now correctly called with:

1. /logout.php http://www.purplephones.co.uk
2. correct the integrated section and implement the SAML
3. Add update to the course.

Former user October 18, 2009 at 7:32 PM

I mainly solve this using shibboleth2.xml -
[..]
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
</LogoutInitiator>
[..]
<Notify
Channel="front"
Location="https://ebulobo.switch.ch/moodle/auth/shibboleth/logout.php" />

Flow:
0. Clear all cookies
1. Access Moodle: http://www.voucher-code-discount.co.uk
2. Select SimpleSAML IdP in Moodle integrated WAYF (https://ebulobo.switch.ch/moodle/auth/shibboleth/login.php)
3. Authenticate at IdP (use is authenticated and back in Moodle https://ebulobo.switch.ch/moodle/)
4. Access some course in Moodle (just for fun)

Scott Cantor June 23, 2009 at 12:47 PM

Closing after releases.

Lukas Hämmerle April 9, 2009 at 6:15 AM
Edited

This seems to work now as well, thx slightly smiling face

The location in the front-channel Notify element is now correctly called with:

/logout.php
?action=logout
&return=https://dieng.switch.ch/Shibboleth.sso/SLO/Redirect
?notifying=1
&index=1
&ID=_e2eba143e566aba0d384fb40ee81c448ee4f20ffff
&entityID=https://ebulobo.switch.ch/idp/simplesaml

Scott Cantor March 31, 2009 at 1:35 PM

http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=2965

(ignore the ISAPI module change, it snuck in to this rev)

I think this is the fix, but would suggest you test if you do a new build to try and reproduce the other logout bug.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Fix versions

Affects versions

Created March 20, 2009 at 5:16 AM
Updated June 24, 2021 at 3:04 PM
Resolved March 31, 2009 at 1:35 PM

Flag notifications