Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-425

PicketLink does not include NameID and Destination for the LogoutRequest

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Major
    • PLINK_2.6.0.CR3
    • PLINK_2.5.2.FInal, PLINK_2.6.0.CR2, PLINK_2.6.0.CR1
    • SAML

    Description

      The PicketLink IDP does not send along the NameID and Destination for a SAML LogoutRequest generated for a GLO.

      These are required as per the SAML 2.0 Spec and to be in compliance with other SAML 2.0 Service Providers such as Shibboleth.

      PL Service Providers seem to be fine with the NameID missing, but Shibboleth Service Providers certainly fail on not seeing required attributes.

      It was observed that this becomes a problem only when a non PL Service Provider is not the last ServiceProvider that was accessed.
      For instance user launches PL-SP1, then PL-SP2 and then Shibboleth-SP3, then issues a GLO from a PL-SP1, things work fine.

      If you change around the order of operation such that the Shib-SP3 is not the last accessed SP before the GLO, then upon a GLO, Shib-SP3 certainly fails on the missing attributes.

      Attachments

        Activity

          People

            anil.saldhana Anil Saldanha (Inactive)
            krisiye Kris Iyer (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: