I am using wso2is as idp and 2 applications as sp in this setup. one of the applications uses java, spring-security-saml-extension, the other one php and simplesamlphp. SSO is working good, but i cannot get SLO working.
what i do is:
- login in both sp-s
- do a logout in 1st sp
- watch wso2 log and see that wso2is sent a logoutrequest to the 2nd sp
- 2nd sp fails to read logoutrequest
simplesamlphp error message:
SimpleSAML_Error_BadRequest: BADREQUEST('%REASON%' => 'Received message on logout endpoint without issuer.')
saml2 LogoutRequest issued by the idp:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest ID="ljknoccfdhjcgelcpmbicffooeokboficpggcmpi" IssueInstant="2014-04-08T06:45:19.944Z" NotOnOrAfter="2014-04-08T06:50:19.944Z" Reason="urn:oasis:names:tc:SAML:2.0:logout:user" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">EXAMPLE.AT/test01@domain.com</saml2:NameID>
<saml2p:SessionIndex>5f14fc6e-1c31-42e1-b7c2-e1501bf400a8</saml2p:SessionIndex
</saml2p:LogoutRequest>
The saml2 SLO-Profile specification below clearly states in chapter 4.4.4 on line 1294:
The <Issuer> element MUST be present and MUST contain the unique identifier of the requesting entity
as I understand this the wso2is acting as the Idp should be the Issuer here, but it fails to include its id in the message.
Any hint on what i am doing wrong? i cannot imagine that this is a wso2is bug!
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
