[security-dev] GLO Logout URL

Bruno Bonfils asyd at asyd.net
Mon Sep 1 18:53:13 EDT 2014


I'm working on integration between PicketLink (as SP) and OpenAM (as
IdP), using the picketlink-federation-saml-sp-with-metadata example.

While I succedeed to get login working, when I click on the Logout link,
I'm redirected to the SingleSignOnService URL (with a logout
assertion) instead of the SingleLogoutService one (see the
sp-metadata.xml attachment). As you can see, the "Destination" in the
LogoutRequest is correct, but the POST is send to another URL:

POST http://idp.tests.opencsi.com/openam/SSOPOST/metaAlias/example/idp HTTP/1.1
Host: idp.tests.opencsi.com

Note the SSOPOST is only referenced as SingleSignOnService in the

I tried to read the picketlink code souce, but I'm not a java
developper, so I don't understand when the getLogoutURL function of
CoreConfigUtil is called! 

By the way, I was not able to find the code source (in git) of
picketlink versions used in JBoss EAP (like the 2.5.3.SP10 used in JBoss
EAP 6.3, only a 2.5.3Beta can be found in github) it doesn't help
debugging! Is the tag/branch available somewhere?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: sp-metadata.xml
Type: application/xml
Size: 6017 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/security-dev/attachments/20140902/3f65f818/attachment.rdf 
-------------- next part --------------
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://picketlink.priv.opencsi.com:8080/sales-metadata/</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

More information about the security-dev mailing list