Univention Bugzilla – Bug 49305
Sign logout responses in the IDP configuration
Last modified: 2020-03-30 12:50:58 CEST
Missing in the configuration for the service providers is: 'sign.logout' => true, Without signed logout responses the OX appsuite crashes during logout with an internal server error. We also do not explicitly set the following attributes: 'saml20.sign.response' => true, 'saml20.sign.assertion' => true, I guess they are by default true?! Otherwise we should set them, too. This can simply be set, we don't need to make it configurable in the UMC/UDM.
Created attachment 9975 [details] patch
'saml20.sign.response' => true, 'saml20.sign.assertion' => true, → Yes they are by default true. We can also set the "sign.logout" at the IDP configuration. The SP configurations are inheriting the value! https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
*** Bug 50603 has been marked as a duplicate of this bug. ***
Bug #50603 is a duplicate, but public and with values for User Pain.
Required for the OX app. Otherwise logout fails.
see also patch attached to #50603 https://forge.univention.org/bugzilla/attachment.cgi?id=10254
8c259f63cc Bug #49305: fix signed logout Package: univention-saml Version: 6.0.2-21A~4.4.0.202002070958 Branch: ucs_4.4-0 Scope: errata4.4-3 patch from bug #50603 applied to enable signed logouts
Some general remarks: Please set yourself as bug assignee when fixing a bug, and set the correct target milestone. If you think the bug is ready for QA, set the bug status to resolved. OK: Patch was applied. Reopen: The fix does not fulfill the userstory acceptance criteria https://taiga.knut.univention.de/project/oschwieg-ucs-core/us/743 * There is no option to toggle signed logouts for a serviceprovider * No resync of listener module to rewrite existing configurations
887b0ad0ec Bug #49305: yaml fdb54868eb Bug #49305: translations b6256ffdcc Bug #49305: Merge branch 'jbremer/bug49305' into 4.4-3 977961432c Bug #49305: Enable signed Logout, new udm attribute signLogouts Successful build Package: univention-saml Version: 6.0.2-23A~4.4.0.202002101801 Branch: ucs_4.4-0 Scope: errata4.4-3 User: jbremer I add the udm attribute signLogouts for serviceproviders, which is mapped to the new ldap attribute signLogouts. Its value determines whether to sign logout messages sent to this SP. Its default value is "True".
OK new UDM attribute for "Enable signed logouts" OK "sign.logout" is written into the service provider config file if UDM attribute is enabled OK yaml -> verified
<http://errata.software-univention.de/ucs/4.4/443.html>