SAML2 Single Logout Profile requires LogoutRequest and LogoutResponse messages to be signed when sent over HTTP Redirect or POST bindings. It can be achieved right now by setting signing="front" or signing="true", but it has a side effect of signing every other message (which is probably unnecessary). If it could be done implicitly (and by default), that could make deploying logout easier.
Environment
None
Activity
Scott Cantor November 15, 2011 at 3:45 PM
Sorry, I meant the former, me testing against an IdP with a test account. I have a lot of logout related bugs to fix. At some point testing by you would be helpful too, but I can do a lot of it up front.
I'll send you email directly with some information once I have a testbed that's publically accessible.
bajnokk@niif.hu November 15, 2011 at 11:03 AM
Edited
Scott, thanks for the fix!
What do you mean by testbed? We can exchange metadata, so that you could test the changes yourself by using one of our public test IdPs. If you want us to test, then please specify, what parts of the stack needs to be recompiled.
SAML2 Single Logout Profile requires LogoutRequest and LogoutResponse messages to be signed when sent over HTTP Redirect or POST bindings. It can be achieved right now by setting signing="front" or signing="true", but it has a side effect of signing every other message (which is probably unnecessary). If it could be done implicitly (and by default), that could make deploying logout easier.