Skip to content
This repository was archived by the owner on Nov 29, 2022. It is now read-only.
This repository was archived by the owner on Nov 29, 2022. It is now read-only.

SES-175: Single Logout Response is never signed #145

Open
Open
SES-175: Single Logout Response is never signed#145
Labels
in: coreAn issue in spring-security-saml-corestatus: ideal-for-contributionAn issue that we are actively looking for help withtype: bugA general bugtype: jiraAn issue that was migrated from JIRA
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Jan 22, 2016

John Chan (Migrated from SES-175) said:

Regardless of the setting when , the LogoutResponse is never signed.

This is because line 242 in org.springframework.security.saml.websso.SingleLogoutProfileImpl.java
boolean signMessage = context.getPeerExtendedMetadata().isRequireLogoutResponseSigned() is always false.

By SAML standards, I believe this should always be true but if I interpret the intent correctly, this should be changed to:
boolean signMessage = context.getLocalExtendedMetadata().isRequireLogoutResponseSigned()

It seems that some IdPs don't enforce the signing (OpenAM for instance). However, Ping Federate does.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: coreAn issue in spring-security-saml-corestatus: ideal-for-contributionAn issue that we are actively looking for help withtype: bugA general bugtype: jiraAn issue that was migrated from JIRA

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions