I was wondering if anyone successfully managed to set up SLO with OneLogin (I'm using one of their free test setups in the cloud, in case that matters). They do not support uploading of the SP Certificate (either separately nor via SP Metadata), meaning they don't really validate the LogoutRequest (we tested by sending an unsigned LogoutRequest, and it was processed successfully), nor do they sign the LogoutResponse (resulting in a "Security of LogoutResponse not established." error from shibboleth).
I previously asked them (via support case) about this, and they suggested I put the logout URL (as opposed to the SLO Endpoint URL) into the OneLogin configuration, which strikes me as an insecure work-around, and doesn't address the lack of signing of their LogoutResponse or validation of the LogoutRequest. They also suggested I turn off validation on my end to avoid the error (which... you know... really?!).
Is there some magic I'm missing? Can someone share a success story (and config examples)?
Alternatively, am I overreacting, and the lack of validation and signing of the Logout messages isn't a big deal?
> Alternatively, am I overreacting, and the lack of validation and signing of the
> Logout messages isn't a big deal?
We simply follow the standard, which isn't ambiguous on this question. If you want a rationale I can manage a poor one (*), but ultimately, my attitude is that once an implementation decides it knows better than the standard what should be done I can guess that they have decided they know better about things that are probably much more important and aren't so easy to let slide.
(*) Technically the reason is that the report of whether logout succeeded or not would have significant impact on the UI presented to the user and has to be trustworthy (making the response more crucial to sign than the request), but in practice logout never works reliably anyway and we don't really believe the SP should be presenting that UI, so that's a fairly poor rationale. Even worse, the Shibboleth IdP doesn't even have a way to know whether logout was complete or partial by the time it responds, so its responses aren't even strictly accurate.