Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12874

Unsigned SAML logout request throwing invalid_logout_request error

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: RH-SSO-7.3.5
    • Fix Version/s: 11.0.0
    • Component/s: Protocol - SAML
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW
    • QE Test Coverage:
      +

      Description

      For SAML client with Client Signature Required set to OFF, RH-SSO throws "invalid_logout_request" while processing unsigned SAML logout request from external Service Provider with below error in server.log

      2020-01-28 09:45:44,814 WARN  [org.keycloak.events] (default task-4) type=LOGOUT_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=20.20.20.20, error=invalid_logout_request, reason=invalid_destination
      

      Sample Logout request from external SP:

      /<samlp:LogoutRequest ID="_51c8bd8e-f1aa-40a9-8c37-8d6198eba78d" Version="2.0" IssueInstant="2020-01-28T08:45:44Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com</saml:Issuer><samlp:NameID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">test</samlp:NameID></samlp:LogoutRequest>
      

      As per SAML Bindings spec, sections 3.4.5.2 (Redirect binding) and 3.5.5.2 (POST binding):

      If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received
      

      So RH-SSO is validating destination if the message is not signed.

      Hence as per the SAML spec it should not mandate the "Destination" field within the SAML request if not signed.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                hmlnarik Hynek Mlnařík
                Reporter:
                sshriram09 Saurabh Shriramwar
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: