Ignore SLO fields in IdP metadata

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Ignore SLO fields in IdP metadata

goods
I am configuring an application that is using the Shibboleth IIS module and
Service Provider (latest version).

My IdP is an F5 Big-IP which I have full control of. We use this as the IdP
for a number of different services.

I have configured Shibboleth so that authentication is working. I am having
issues getting the logout functionality to work properly. I am NOT trying to
configure SingleLogout - I just want to get local logout working before
concerning myself with the session created between the SP and IdP.

The IdP metadata file generated by the aforementioned appliance contains SLO
fields which I want Shibboleth to ignore. When I head to
https://<domain>/Shibboleth.sso/Logout with the default <Logout>SAML2
Local</Logout> in Shibboleth2.xml, I am redirected to the SLO URL in the IdP
metadata. We do not have this functionality on the appliance configured
properly causing a connection reset and the browser just hangs, never
getting to the logout successful page (unless I go to that URL a couple more
times in succession). The simple solution would be to remove these fields
from the metadata however the file is signed by the appliance and removing
these fields causes Shibboleth to report errors on startup related to the
signature failing.

Is there a way to configure Shibboleth to ignore the SLO fields in the IdP
Metadata?

If not, is there a way to disable the signature requirement by Shibboleth
for the IdP Metadata so that I can export it from the appliance unsigned and
remove the SLO fields (I'm storing the IdP metadata locally on the disk so
the security concern isn't there)? I'm making assumptions here that
Shibboleth is seeing those SLO fields and attempting to use them and that by
removing them from the config file they would be ignored.

If I am way off here or something does not make sense please let me know.

Thank you for your time.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ignore SLO fields in IdP metadata

Peter Schober
* goods <[hidden email]> [2019-11-21 03:09]:
> The IdP metadata file generated by the aforementioned appliance contains SLO
> fields which I want Shibboleth to ignore. When I head to
> https://<domain>/Shibboleth.sso/Logout with the default <Logout>SAML2
> Local</Logout> in Shibboleth2.xml, I am redirected to the SLO URL in the IdP
> metadata. We do not have this functionality on the appliance configured
> properly causing a connection reset and the browser just hangs, never
> getting to the logout successful page (unless I go to that URL a couple more
> times in succession).

Why not deal with
"We do not have this functionality on the appliance configured properly"
directly and enable this on the appliance?

> The simple solution would be to remove these fields from the
> metadata however the file is signed by the appliance and removing
> these fields causes Shibboleth to report errors on startup related
> to the signature failing.

That statement doesn't make much sense to me: Either you're loading
the IDP metadata directly over the network from the IDP, in which case
you can't easily remove the line about SLO support.
Or you're loading the metadata from a local copy on disk at the SP, in
which case you can simply remove both the SLO support /and/ the
Signature element.
The software necessarily trusts local files because the configuration
that potentially had signature validation filters configured for that
local file is also loaded from... a local file.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Ignore SLO fields in IdP metadata

Cantor, Scott E.
Disabling SAML logout is trivial, just remove the SAML2 string from the <Logout> element in the SP.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]