How to handle IdP-initiated Single Logout (SLO) in the SP ?
Closed this issue · 1 comments
Note, I am working with an existing code base which uses the crewjam/saml package to implement Single Sign On.
This code base is to be extended for Single LogOut.
While that is SP-initiated at the core a subset of the flow is the IdP-inititiated flow.
Note, using the crewjam/samlsp package looks to be a no go.
Note, I use the image http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02_html_m50a2ba3e.gif as my reference for the entire SP-flow, and all step references refer to it, and steps 3 and 4 in that are the IdP-initiated flow.
Which is the part there I have issues. Step 3 demands that the SP, IOW me, accepts a LogoutRequest (Likely a GET).
I am unable to find functions which allow me to validate such an incoming request, or pull data out of it for the response to be made.
I see functions to make requests, and responses; to parse responses, and validate some; yet for parsing requests, nothing.
Then step 4 expects to return a logout response. In the http response to the request from step 3.
While I can MakeLogoutResponse I do not see anything to write it into a http response.
It is all about redirect, etc. IOW this seems to be geared towards the step 5 at the end of the SP-flow.
As mentioned by @McGregsen in comment #380 (comment) about 3 years ago:
Additionally the slo endpoint should also be able to handle SamlLogoutRequest messages that are sent by the identity provider when another service provider triggers a slo request. [...] you would [...] send a SamlLogoutResponse back to the identity provider.
which is exactly what I am looking at, and it does not seem to be supported ?
I suspect that I am missing something, yet I am unable to see what. Which is why I am missing this, I guess.
Resolved