I wish to confirm that RelayState is required for a valid signed SAML logout request.
We have federated Microsoft's ADFS 2012 R2 with Oracle's Identity Federation where ADFS is the SP and OIF is the IdP. As a basis, we followed Integrating ADFS 2.0/3.0 SP with OIF IdP.
Everything works, except logout. We have another SP doing a logout and working with OIF. One difference we've found is that ADFS is not sending a RelayState parameter with its signed logout request, but the other SP is. I've been using SAMLTool's Validate Logout Req, where I input the following:
- SAML Logout Request
- EntityId of the source
- Target URL, Destination of the Logout Request
- SigAlg
- Signature of the SAML Logout Request
- X.509 cert of the source (to check Signature)
- Ignore timing issues: checked
That then gives me the error:
In order to check Signature you must provide the RelayState parameter and the X.509 cert
If I input RelayState along with my other values in SAMLTool's Validate Logout Req then it reports back that my signed logout request is valid.
In the case of ADFS, because it does not have a RelayState parameter, I cannnot get SAMLTool's Validate Logout Req to say that a logout from ADFS is valid.
All that said, I cannot find anywhere in the SAML spec that says RelayState is required for a signed logout request. Can anyone confirm that it is required and back it up with documentation?