What exactly means 'Logout request is not signed' in SAML SSO?

security

(Bruno Henriques) #1

Hello,

I have SSO (using simplesamlphp as IdP) a environment with three services: MyServiceA, MyServiceB and Kibana. I have session on all three services and when I attempt to logout (SLO) from either MyServiceA or MyServiceB I encounter the error 'Logout request is not signed'. Is it possible to disable signature verification from a IdP initiated logout just for the sake of testing and development?

Still reading more on SAML SSO and how these services implement SAML, however I would like to have your insight on this issue.


(Ioannis Kakavas) #2

Hi Bruno,

In general, one should not consume unsigned SAML Logout Requests as there is no integrity or authenticity protection without the signature. How can the SAML SP know that the request originates from the IdP and it is indeed about logging out the specified user ?

There is no way to disable signature verification for incoming SAML Logout Requests in Elasticsearch but you can enable signing of SAML logout messages in simplesamlphp


(Bruno Henriques) #3

Indeed! The logout flow is more clearer to me now :slight_smile: I am using a version for the single purpose of development and testing.

I am editing the original question to stand out the issue in relation in your response.

Thank you!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.