Issue Type: Bug Bug
Affects Versions: PLINK_2.1.7
Assignee: Anil Saldhana
Components: STS
Created: 08/Aug/13 10:51 PM
Description:

The logout responses from the IDP contain an invalid status code that can't be parsed by stricter implementations of SAML 2.0.

Sample Request

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_299dea29-3e88-442b-85c0-438594f48b2e" IssueInstant="2013-07-08T18:34:07.331Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sga-sp-1.0/</saml:Issuer>
  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">tomcat</saml:NameID>
</samlp:LogoutRequest>

Sample Response

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_81ad5bb1-144a-4e9f-89ca-f6db70ab4e50" InResponseTo="ID_299dea29-3e88-442b-85c0-438594f48b2e" IssueInstant="2013-07-08T18:34:07.386Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sga-idp-1.0/</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> 
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:StatusCode>
  </samlp:Status>
</samlp:LogoutResponse>

Even though the section 3.2.2.2 of the SAML 2.0 Core spec defines that the "urn:oasis:names:tc:SAML:2.0:status:Responder" status code should only be returned when "the request could not be performed due to an error on the part of the SAML responder or SAML authority", it is currently returned when the request is successful, i.e. when the spec defines that only the "urn:oasis:names:tc:SAML:2.0:status:Success" status code must be returned.

Can you please verify?
Environment: All supported environments.
Fix Versions: PLINK_2.1.8
Project: PicketLink v2
Priority: Major Major
Reporter: Fernando Ribeiro
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira