[security-dev] GLO Logout URL

Bruno Bonfils asyd at asyd.net
Mon Sep 1 18:53:13 EDT 2014 

Hello,

I'm working on integration between PicketLink (as SP) and OpenAM (as
IdP), using the picketlink-federation-saml-sp-with-metadata example.

While I succedeed to get login working, when I click on the Logout link,
I'm redirected to the SingleSignOnService URL (with a logout
assertion) instead of the SingleLogoutService one (see the
sp-metadata.xml attachment). As you can see, the "Destination" in the
LogoutRequest is correct, but the POST is send to another URL:

--8<--
POST http://idp.tests.opencsi.com/openam/SSOPOST/metaAlias/example/idp HTTP/1.1
Host: idp.tests.opencsi.com
--8<--

Note the SSOPOST is only referenced as SingleSignOnService in the
metadata.xml

I tried to read the picketlink code souce, but I'm not a java
developper, so I don't understand when the getLogoutURL function of
CoreConfigUtil is called! 

By the way, I was not able to find the code source (in git) of
picketlink versions used in JBoss EAP (like the 2.5.3.SP10 used in JBoss
EAP 6.3, only a 2.5.3Beta can be found in github) it doesn't help
debugging! Is the tag/branch available somewhere?

Thanks!

-- 
http://www.opencsi.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sp-metadata.xml
Type: application/xml
Size: 6017 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/security-dev/attachments/20140902/3f65f818/attachment.rdf 
-------------- next part --------------
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                     Destination="http://idp.tests.opencsi.com:80/openam/IDPSloPOST/metaAlias/example/idp"
                     ID="ID_8371e747-a60a-4b2f-ae3b-69fad1dcae3a"
                     IssueInstant="2014-09-01T22:39:13.662Z"
                     Version="2.0"
                     >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://picketlink.priv.opencsi.com:8080/sales-metadata/</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
...
    </dsig:Signature>
    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                 >bbonfils</saml:NameID>
    <samlp:SessionIndex>s22d353c174136859bd469b70e3c39292661aca101</samlp:SessionIndex>
</samlp:LogoutRequest>

More information about the security-dev mailing list