Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10970

logout response binding should be selected based on the capabilities of the SP

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0
    • Fix Version/s: 13.5.2, 14.5.0, 14.1.2
    • Component/s: SAML
    • Labels:
    • Environment:
    • Sprint:
      AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Set up OpenAM 13.5.0 as IdP proxy

      I used Spring Security SAML extension sample app as the SP and OpenAM 13.5.0 as IdP

      remove all bindings, but HTTP POST from the SP Single Logout Service

      Perform SP-initiated SSO.

      After successful SSO, perform SP-initiated SLO (using HTTP POST binding or HTTP REDIRECT binding)

      When the IdP-Proxy wants to send to Logout response to the SP, it fails with a SAML error (see attached screenshot), the Federation debug log shows

      excerpt from Federation debug log
      libSAML2:01/12/2017 10:01:36:486 AM CET: Thread[https-jsse-nio-8443-exec-8,5,main]: TransactionId[e54c2593-c1c4-44ac-b0be-f591556dcd70-233]
      ERROR: Unable to find the IDP's single logout response service with the HTTP-Redirect binding
      libSAML2:01/12/2017 10:01:36:487 AM CET: Thread[https-jsse-nio-8443-exec-8,5,main]: TransactionId[e54c2593-c1c4-44ac-b0be-f591556dcd70-233]
      ERROR: Error processing LogoutResponse :
      com.sun.identity.saml2.common.SAML2Exception: Single Logout Response Service location not found.
              at com.sun.identity.saml2.profile.IDPSingleLogout.getSingleLogoutLocation(IDPSingleLogout.java:650)
              at com.sun.identity.saml2.profile.IDPProxyUtil.sendProxyLogoutResponse(IDPProxyUtil.java:910)
              at org.apache.jsp.saml2.jsp.spSingleLogoutPOST_jsp._jspService(spSingleLogoutPOST_jsp.java:337)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sfraser Sam Fraser
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: