Single logout request does not contain signature

Hello,

We’ve implemented a SAML service provider using the ComponentSpace SAML library. The identity provider that we use enabled enforcement of signatures in requests from service providers, which led to problems in our case as the single logout request is not signed by the ComponentSpace SAML library (even though it is enabled in configuration).

After some research, I stumbled upon the method ComponentSpace.Saml2.SamlProvider.CreateLogoutRequestAsync which contains two conditions whether a signature should be added:

if (this.PartnerProviderConfiguration.SingleLogoutServiceBinding != “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” && this.PartnerProviderConfiguration.SignLogoutRequest)
{

}

The property this.PartnerProviderConfiguration.SignLogoutRequest is true, but the binding for the single logout endpoint of the identity provider is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect, which is the reason no signature is added.

Is there a reason why a signature is not applied when using the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding?

Thanks,

Arjen

Hi Arjen,

When using the HTTP-Redirect binding, SAML messages are not signed using an XML signature. Instead, the signature and related information are included as additional query string parameters. The reason for this is that an XML signature may result in a query string parameter that’s too long for some browsers. This is as per the SAML v2.0 specification.

So, the SAML logout message is in fact signed. It’s just not signed using an XML signature.

I recommend contacting the identity provider. If they’re rejecting the logout message, they should be able to provide more detailed information. The most common issue with signatures is the wrong certificate being used for the signature verification. They should double check they’re using the correct certificate supplied by you.

Thanks for the super quick response and sorry for my delayed response (due to our company outing :slight_smile: ). We will contact the identity provider to obtain more information. Thanks again!

Regards,

Arjen

You’re welcome. :slight_smile: