How does Shibboleth support back-channel SLO over SOAP?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How does Shibboleth support back-channel SLO over SOAP?

ofaklintrafo
I am trying to get back-channel SLO to work over SOAP.

According to this page and other pieces of documentation it should work.

https://wiki.shibboleth.net/confluence/display/IDP30/LogoutConfiguration#LogoutConfiguration-SAMLLogout

I have made a small test setup with a single Shibboleth and two Shibboleth
service providers.

SLO works when I configure the SingleLogoutService with the HTTP-Redirect
binding on the service provider and IdP.

IdP metadata configuration:

     <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.local/idp/profile/SAML2/Redirect/SLO" />

Service provider metadata configuration:

     <md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://sp1.local/Shibboleth.sso/SLO/Redirect"/>

But when I try to do the SOAP back channel configuration it fails when I try
to initiate a log out from the IdP.

In the idp-process.log file I see the following events:

        2018-04-30 07:11:47,770 - TRACE
[net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:390]
- Profile Action PopulateBindingAndEndpointContexts: Candidate outbound
bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect,
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST,
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign,
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact]
        2018-04-30 07:11:47,771 - DEBUG
[org.opensaml.saml.common.binding.AbstractEndpointResolver:220] - Endpoint
Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:
Returning 1 candidate endpoints of type
{urn:oasis:names:tc:SAML:2.0:metadata}SingleLogoutService
        2018-04-30 07:11:47,771 - DEBUG
[org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:86] -
Endpoint Resolver
org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Candidate
endpoint binding 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP' not permitted
by input criteria
        2018-04-30 07:11:47,773 - DEBUG
[org.opensaml.saml.common.binding.AbstractEndpointResolver:130] - Endpoint
Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: No
candidate endpoints met criteria

It looks like the SOAP binding 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
is not permitted. And the log also tells me that this binding is not one of
the candidate outbound bindings.

Why is this so? Why is the SOAP binding not one of the permitted candidate
bindings.

This also corresponds with the list of SAML2 SLO bindinds which are defined
in 'system/conf/saml-binding-config.xml'.

    <util:list id="shibboleth.OutgoingSAML2SLOBindings">
        <ref bean="shibboleth.Binding.SAML2Redirect" />
        <ref bean="shibboleth.Binding.SAML2POST" />
        <ref bean="shibboleth.Binding.SAML2POSTSimpleSign" />
        <ref bean="shibboleth.Binding.SAML2Artifact" />
    </util:list>

I would be very helpful I could get some how Shibboleth supports
back-channel SLO over SOAP when the SOAP binding is not listed as one of the
permitted SLO bindings.





--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How does Shibboleth support back-channel SLO over SOAP?

ofaklintrafo
There is also a comment in the following issue which seems to say the SOAP
SLO from the IDP is not supported yet

https://issues.shibboleth.net/jira/browse/IDP-964



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How does Shibboleth support back-channel SLO over SOAP?

ofaklintrafo
In reply to this post by ofaklintrafo
Hi, it would be great if someone on the forum would give me some info on this
issue.



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How does Shibboleth support back-channel SLO over SOAP?

Cantor, Scott E.
> Hi, it would be great if someone on the forum would give me some info on
> this issue.

You already answered your own question, so what else are you asking?

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How does Shibboleth support back-channel SLO over SOAP?

ofaklintrafo
Sorry Scott, but then I need help understand my own answer.

Does this mean that the Shibboleth IdP does not support back channel SLO
over SOAP, as mentioned in the wiki documentation
https://wiki.shibboleth.net/confluence/display/IDP30/LogoutConfiguration#LogoutConfiguration-SAMLLogout
?

If Shibboleth does not support back-channel SLO over SOAP, does it support
it over any other protocol ?




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How does Shibboleth support back-channel SLO over SOAP?

Cantor, Scott E.
> Does this mean that the Shibboleth IdP does not support back channel SLO
> over SOAP, as mentioned in the wiki documentation
> https://wiki.shibboleth.net/confluence/display/IDP30/LogoutConfiguration#
> LogoutConfiguration-SAMLLogout

"SPs can request a logout using either front- or back-channel SAML bindings (typically HTTP-Redirect on the front, SOAP on the back). The IdP supports reception of either type of request, but currently cannot propagate logout using SOAP (but if you rely on a server-side session storage option, it can terminate the session at the IdP)."

I think that literally answers your question, on top of which you found the open issue for implementing the thing you keep asking if it supports, which quite obviously means we don't support it.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How does Shibboleth support back-channel SLO over SOAP?

ofaklintrafo
Ok Scott, thank you for the clarification.

And I guess that the feature is not a top priority issue as
https://issues.shibboleth.net/jira/browse/IDP-964 has priority Minor.



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How does Shibboleth support back-channel SLO over SOAP?

Cantor, Scott E.
> And I guess that the feature is not a top priority issue as
> https://issues.shibboleth.net/jira/browse/IDP-964 has priority Minor.

Applications by and large cannot support back channel logouts because they rely on cookies, so it serves very little purpose.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]