Per Simo: in SAML logout means you keep track of all logged in SPs, then go and contact each of them and log the user out of them. afaik mod_auth_mellon supports it.

One can define a logout URI in the SP metadata but currently this only logs the user out of mod_auth_mellon. The call to lasso_logout_init_request() returns LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE.

Which of course is completely expected since the IdP doesn't register a SLO service endpoint. I added one to the metadata and now mod_auth_mellon attempts a logout.

It looks like this:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<a href="https://gyre.example.com/idp/saml2/SLO/Redirect"/">https://gyre.example.com/idp/saml2/SLO/Redirect"/>

_comment0: Which of course is completely expected since the IdP doesn't register a SLO service endpoint. I added one to the metadata and now mod_auth_mellon attempts a logout.

It looks like this:
{{{
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<a href="https://gyre.example.com/idp/saml2/SLO/Redirect"/">https://gyre.example.com/idp/saml2/SLO/Redirect"/>
}}} => 1420829277757134

Fields changed

owner: simo => rcritten
status: new => accepted

Fields changed

milestone: => 1.0 m1

The documentation I used to implement this included the SAML 2.0 profiles document, http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf , and the Lasso Session, Login and Logout API pages at http://lasso.entrouvert.org/documentation/api-reference/index.html

I'm only implement SP-initiated logout using HTTP Redirect, relying on the user-agent to handle contacting each SP.

patch_available: => 1

Pushed to master.
Commit IDs:
c327645
d1779f7
d87d8df
ac1bae1
7b0f5a1

resolution: => fixed
status: accepted => closed

Fields changed

rhbz: => 0