SP-initiated SLO returns ERR_CONTENT_DECODING_FAILED

markachten · April 29, 2019, 3:46am

Hi. I’m using the High-level API and as a SP, I’m trying to logout of the IdP using this code:

if (SAMLServiceProvider.CanSLO(providerId))
{
// Request logout at the identity provider.
SAMLServiceProvider.InitiateSLO(Response, null, null, providerId);
}

Basically as what the examples tell me to do. Thing is, logging in works perfectly, logging out returns a 500 ERR_CONTENT_DECODING_FAILED. The IdP -devs tell me a ‘SecurityPolicyException’ was thrown indicating that ‘Inbound message issuer was not authenticated.’.

Basic question: Is it me? If so, how to fix? Are there any things I could check as well?

ComponentSpace · April 29, 2019, 6:16pm

I’m not sure exactly what that message means but it’s possible the IdP wants the logout message signed.
In your SAML configuration (eg saml.config file), set SignLogoutRequest and SignLogoutResponse to true for the partner identity provider configuration.
For example:

<PartnerIdentityProvider
Name=“…”
SignLogoutRequest=“true”
SignLogoutResponse=“true”

The logout messages are signed with your SP’s private key (eg LocalCertificateFile).
If there’s still an issue, please ask the IdP for more specific information.