I have SSO and SLO working with my organization’s identity provider. There is one thing we want to get working, but I can’t figure out how to get it happening when I initiateSLO. I thought there was a way to sign your sign out request so that the provider knows for sure that any request to sign out came from my app. I have set the SignLogoutRequest=“true” in the PartnerIdentityProvider config, but when I watch the SSO in SSOTracer, I never see any form of signature on the SLO request sent to the provider.
<ServiceProvider Name=“teacherapp-localdev”
AssertionConsumerServiceUrl=“~/Auth/Receive”
LocalCertificateFile=“teacher-local-dev.pfx”
LocalCertificatePassword=“weee”/>
<PartnerIdentityProvider Name=“<a href=“https://ident-int.lds.org/sso””>https://ident-int.lds.org/sso"
SignLogoutRequest=“true”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“<a href=“https://ident-int.lds.org/sso/SSORedirect/metaAlias/lds/idp””>https://ident-int.lds.org/sso/SSORedirect/metaAlias/lds/idp"
SingleLogoutServiceUrl=“<a href=“https://ident-int.lds.org/sso/IDPSloRedirect/metaAlias/lds/idp””>https://ident-int.lds.org/sso/IDPSloRedirect/metaAlias/lds/idp"
PartnerCertificateFile=“idp.cer”/>
So what am I missing in order to get my log out request to be signed?
The default binding used to send the SAML logout request is HTTP-Redirect. When the logout request is signed using this binding, dues to restrictions on URL lengths imposed by browsers, the signature is a not an XML signature. Instead, a different signing algorithm is used and the signature is an additional query string parameter (ie SigAlg to specify the signature algorithm and Signature for the actual signature value). This is as per the SAML specification.
I suggest taking a look at the generated redirect URL and confirming that the SigAlg and Signature query string parameters are present.