This option configures whether logout requests and logout responses received from this IdP should be validated. The default is FALSE.
FALSE
If set to TRUE it fails in SimpleSAMLPHP with:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION Backtrace: 0 /var/simplesamlphp/www/module.php:179 (N/A) Caused by: SimpleSAML_Error_Exception: Validation of received messages enabled, but no signature found on message. Backtrace: 2 /var/simplesamlphp/modules/saml/lib/Message.php:252 (sspmod_saml_Message::validateMessage) 1 /var/simplesamlphp/modules/saml/www/sp/saml2-logout.php:38 (require) 0 /var/simplesamlphp/www/module.php:134 (N/A)
Note that the redirect we send is signed:
https://sptest.greyoak.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp?SAMLResponse=fZJNa8MwDIb%2FSsg9cT7dxqSBkmxQ6C5r6WGXoSVKG%2BbYJnJg%2B%2FdL05W1MHoy0qtHr2w5J%2BilEVt91KN9RTJaETpfvVQkZmnljoMSGqgjoaBHErYWu%2FXLVkR%2BIMygra61dG%2BQxwQQ4WA7rVxnU63c96paVnHMyydeViVfP1dhViXZIiwDzuNskUxl6jrXXk9AhkGSQNJGdcQD4EsOSdRgmtYtrzPMwg%2FOFwhR2E7oAQearFbu5Dw1Ihpxo8iCslMqCFMvDLyA76NARLFI0jfXqZBsp8DO1MlaQ4IxMnZK%2B8cBvzV8%2BrXuGXW9kXi%2BLut1M0r0zcmwOabLGXlyftRZaLCFUVqPjFvkZ1XMwwzF1aIz1Emt7jy65rcT69FCAxZydsvml93tLNiR7qNSN%2BgcQI74eBs0V4vdWNdI5LLi4vDXlP33P4of&RelayState=_e523ea08bc1085c654f0e7a853cab5c7e709f2a04b&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=YnJtSisyI8dBW0vZ3bOSPKHtHfTYUaVce31jUQ9SW3kznIae%2F7N9KCWNKB5XvC20iNtWwrcfuoUWDNue59RvIqIPhASJK95g%2BpJfDJoe5vxxUqSkygy41iBIX2Z7D5yWFNVcEatF3JqzSOIObpl0VLuUSFIUOMGr7fK3dDToeri0RSYRG%2BsebZWEEOGCFThG%2B1R6DPZN7KFvCJqdAPFJS9e5JgbrIxqg2o68BDtdohX9qr9Pbo%2BDrRlqCxyruNaWdX5k0jTlAW%2FcNzU15IKXSVHi835VWJRm3DBFZMUbkvezzh3iTbBP5cl3a6DtjV5rmr8aAL%2Fz29cOMMbF3hJQEQ%3D%3D
So maybe I've mis-configured SimpleSAMLPHP.
Ok, I see. I needed to add this to the IdP metadata in metadata/saml20-idp-remote.php
'certificate' => 'idp.pem',
And fetch idp.pem from the IdP in /var/lib/ipsilon/saml2 and put it into cert/idp.pem
resolution: => invalid status: new => closed
Login to comment on this ticket.