We have recently implemented single logout though running into an issue with the upstream IdP not being able to verify the signature of the logout request - no errors, just can’t verify. Everything seems to be functioning fine in our auth server (SP).
We are using licensed component space 2.5.0
Any suggestions to troubleshoot?
Are you supporting SP-initiated SSO and signing the SAML authn request?
I’m just wondering whether the issue is somehow specific to the logout.
The most common issue is that the partner provider is configured with the wrong certificate.
Please confirm that you’ve supplied them with the correct certificate.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
We can check everything looks ok from your side but you’ll probably need to ask the IdP to check their configuration etc as well.
[quote][/quote]
Are you supporting SP-initiated SSO and signing the SAML authn request?
I'm just wondering whether the issue is somehow specific to the logout.
The most common issue is that the partner provider is configured with the wrong certificate.
Please confirm that you've supplied them with the correct certificate.
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
We can check everything looks ok from your side but you'll probably need to ask the IdP to check their configuration etc as well.
I'm just wondering whether the issue is somehow specific to the logout.
The most common issue is that the partner provider is configured with the wrong certificate.
Please confirm that you've supplied them with the correct certificate.
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
We can check everything looks ok from your side but you'll probably need to ask the IdP to check their configuration etc as well.
Thanks for your response. We are supporting SP initiated SSO and signing SAML AuthN requests with no issue... I am a bit perplexed as it seems specific to the logout process.
I have requested a follow up regarding RP configuration, but wanted to double check here as well in case I may have overlooked during implementation.
I guess the other thing is to confirm with the IdP whether they’re checking the signature on the authn request.
If they are then it’s very strange that they can verify the signature on the authn request but not the logout request.