Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-3809

The final SLO response should be sent using appropriate binding

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.5.5, 10.0.0, 11.0.0, 12.0.0
    • Fix Version/s: 10.0.3, 11.0.2, 12.0.0
    • Component/s: SAML
    • Labels:
    • Support Ticket IDs:

      Description

      According to SAML profile spec 4.4.3.5:
      "The response is sent to the original session participant, using a SAML binding consistent with the binding
      used in the original request, the capability of the responder, and the availability of the user agent at the
      identity provider. Assuming an asynchronous binding was used in step 1, then any binding supported by
      both entities MAY be used."

      This is currently not obeyed by OpenAM: it always tries to use the same binding as what was used to initiate the logout process itself. Instead it should attempt to use a binding that is actually supported by the SP. According to [0] for sending the final response we should only use HTTP-Redirect or HTTP-POST bindings, as SOAP is not implementable.

      [0]: https://lists.oasis-open.org/archives/saml-dev/201403/msg00042.html

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                peter.major Peter Major [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: