Change By:

Fernando Ribeiro (08/Aug/13 10:53 PM)

Description:

The logout responses from the IDP contain an invalid status code that can't be parsed by stricter implementations of SAML 2.0.

*Sample Request*

{code:xml}<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_299dea29-3e88-442b-85c0-438594f48b2e" IssueInstant="2013-07-08T18:34:07.331Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sga-sp-1.0/</saml:Issuer>
  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">tomcat</saml:NameID>
</samlp:LogoutRequest>{code}

*Sample Response*

{code:xml}<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_81ad5bb1-144a-4e9f-89ca-f6db70ab4e50" InResponseTo="ID_299dea29-3e88-442b-85c0-438594f48b2e" IssueInstant="2013-07-08T18:34:07.386Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sga-idp-1.0/</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:StatusCode>
  </samlp:Status>
</samlp:LogoutResponse>{code}

Even though the section 3.2.2.2 of the SAML 2.0 Core spec defines that the "urn:oasis:names:tc:SAML:2.0:status:Responder" status code should only be returned when "the request could not be performed due to an error on the part of the SAML responder or SAML authority", it is currently returned when the request is successful, i.e. when the spec defines that only the "urn:oasis:names:tc:SAML:2.0:status:Success" status code must be returned.

Can you please verify?

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira