Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Users] IdP Single Logout Support Feedback

Subject: Shibboleth Developers

List archive

Re: [Shib-Users] IdP Single Logout Support Feedback


Chronological Thread 
  • From: André Cruz <>
  • To: <>
  • Cc:
  • Subject: Re: [Shib-Users] IdP Single Logout Support Feedback
  • Date: Tue, 17 Nov 2009 15:58:32 +0000
On Nov 9, 2009, at 13:59 , Chad La Joie wrote:

> - SP versions
> - HTTP or HTTPS SLO endpoints
> - Front or back channel communication
> - Browser versions

I've been running some tests with SP 2.3, IDP 2.1.4SLO4 and firefox 3.5.5.

IDP initiated SLO
SAML:2.0:bindings:HTTP-Redirect - Worked
SAML:2.0:bindings:HTTP-POST - Worked
SAML:2.0:bindings:HTTP-Artifact - consistent SP crash with logging in debug:

(gdb) bt
#0 0x00002b9ad56a9030 in strlen () from /lib/libc.so.6
#1 0x00002b9ad5675cb1 in vfprintf () from /lib/libc.so.6
#2 0x00002b9ad569b20a in vsnprintf () from /lib/libc.so.6
#3 0x00002b9ad0faa116 in log4shib::StringUtil::vform () from
/usr/local/shib-sp2/lib/liblog4shib.so.1
#4 0x00002b9ad0f9edd6 in log4shib::Category::_logUnconditionally () from
/usr/local/shib-sp2/lib/liblog4shib.so.1
#5 0x00002b9ad0f9e24e in log4shib::Category::debug () from
/usr/local/shib-sp2/lib/liblog4shib.so.1
#6 0x00002b9ad1743e02 in opensaml::saml2p::SAML2SOAPDecoder::decode () from
/usr/local/shib-sp2/lib/libsaml.so.6
#7 0x00002b9ad0c7776e in shibsp::SAML2Logout::doRequest (this=0x7ef100,
application=@0x75cc50,

request=@0x8437c0,

response=@0x9510c0)
at handler/impl/SAML2Logout.cpp:349
#8 0x00002b9ad0c79671 in shibsp::SAML2Logout::receive (this=0x7ef100,
in=<value optimized out>,
out=@0x41000d50)
at handler/impl/SAML2Logout.cpp:257
#9 0x00002b9ad0ccfb7f in shibsp::ListenerService::receive (this=0x715628,
in=@0x41000f90,

out=@0x41000d50)
at remoting/impl/ListenerService.cpp:113
#10 0x00002b9ad0cd3e2c in shibsp::ServerThread::job (this=0x95e060) at
remoting/impl/SocketListener.cpp:539
#11 0x00002b9ad0cd49bd in shibsp::ServerThread::run (this=0x95e060) at
remoting/impl/SocketListener.cpp:479
#12 0x00002b9ad0cd4ab1 in server_thread_fn (arg=0x95e060) at
remoting/impl/SocketListener.cpp:413
#13 0x00002b9ad2c94fc7 in start_thread () from /lib/libpthread.so.0
#14 0x00002b9ad56fd5ad in clone () from /lib/libc.so.6
#15 0x0000000000000000 in ?? ()

After I switched to INFO it worked.

SAML:2.0:bindings:SOAP - Worked. Is there a way to force back-channel SLO? I
removed all other endpoints from the metadata.

Also, I have a custom login handler to handle the login part and it creates
it's own sessions. How do I get notified of these logouts so that I can
terminate my session as well?


SP Initiated SLO

After I switched the SP session initiator to SAML2 I started getting these
errors on the IDP when I tried to login (POST or Artifact produced it):

15:17:21.056 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:833]
- Building assertion NameID for principal/relying
party:/https://sp1.sso2.sso.bk.sapo.pt/shibboleth
15:17:21.056 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:858]
- Relying party 'https://sp1.sso2.sso.bk.sapo.pt/shibboleth' supports the
name formats: [urn:mace:shibboleth:1.0:nameIdentifier]
15:17:21.057 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:554]
- Determining if SAML assertion to relying party
'https://sp1.sso2.sso.bk.sapo.pt/shibboleth' should be signed
15:17:21.057 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:628]
- IdP relying party configuration 'default' indicates to sign assertions:
false
15:17:21.057 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:635]
- Entity metadata for relying party
'https://sp1.sso2.sso.bk.sapo.pt/shibboleth 'indicates to sign assertions:
false
15:17:21.057 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:270]
- Attempting to encrypt assertion to relying party
'https://sp1.sso2.sso.bk.sapo.pt/shibboleth'
15:17:21.070 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:833]
- Building assertion NameID for principal/relying
party:/https://sp1.sso2.sso.bk.sapo.pt/shibboleth
15:17:21.071 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:858]
- Relying party 'https://sp1.sso2.sso.bk.sapo.pt/shibboleth' supports the
name formats: [urn:mace:shibboleth:1.0:nameIdentifier]
15:17:21.072 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88]
- Error occured while processing request
java.lang.NullPointerException: null
at
edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl.setSAML2NameIdentifier(ServiceInformationImpl.java:101)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:269)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:148)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
[shibboleth-common-1.1.3-slo1.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.forwardRequest(AuthenticationEngine.java:185)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToProfileHandler(AuthenticationEngine.java:171)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.completeAuthentication(AuthenticationEngine.java:520)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngine.java:213)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.forwardRequest(AuthenticationEngine.java:185)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToAuthenticationEngine(AuthenticationEngine.java:149)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler.login(PreviousSessionLoginHandler.java:115)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.startUserAuthentication(AuthenticationEngine.java:257)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service(AuthenticationEngine.java:211)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:189)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:145)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:82)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
[shibboleth-common-1.1.3-slo1.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77)
[shibboleth-identityprovider-2.1.4-slo4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:na]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
[catalina.jar:na]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:na]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
[catalina.jar:na]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:na]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:na]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:na]
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:427)
[tomcat-coyote.jar:na]
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
[tomcat-coyote.jar:na]
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1539)
[tomcat-coyote.jar:na]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_12]


I haven't been able to test SP initiated SLO yet because of this since the SP
won't do SLO if the session is started with a SAML1 binding. Is it a
misconfiguration on my part?

Great work, anyhow. If someone can point me in the right direction regarding
this last exception I'll continue the tests.

Best regards,
André Cruz

Archive powered by MHonArc 2.6.16.

Top of Page