Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single Logout Response Missing RelayState #13

Open
msaksak opened this issue Dec 7, 2023 · 1 comment
Open

Single Logout Response Missing RelayState #13

msaksak opened this issue Dec 7, 2023 · 1 comment

Comments

@msaksak
Copy link

msaksak commented Dec 7, 2023

When I terminate the session from any of the service providers with multiple logins, a saml single session logout request is sent to the identity provider, single logout is initiated and the identity server makes a request to the single logout service of each service provider. When sending the request from the identity server, SAMLRequest and RelayState two parameters are sent, the identity server expects the RelayState Parameter with SAMLResponse after the service provider logs out. But after logout, only SAMLResponse returns to the identity server and since there is no RelayState Parameter on the IDP side, it causes an error and session termination is interrupted.

Is it possible to return the RelayState parameter and value sent during the request to the identity provider in the logout response?

See section 3.4.3 RelayState of the SAML bindings document: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for the HTTP-Redirect binding:

3.4.3 RelayState

RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message independent of any other protections that may or may not exist during message transmission. Signing is not realistic given the space limitation, but because the value is exposed to third-party tampering, the entity SHOULD ensure that the value has not been tampered with by using a checksum, a pseudo-random value, or similar means. If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response. If no such value is included with a SAML request message, or if the SAML response message is being generated without a corresponding request, then the SAML responder MAY include RelayState data to be interpreted by the recipient based on the use of a profile or prior agreement between the parties
@tuxcrafter
Copy link

I would also like to see the SLO improved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tuxcrafter @msaksak