Problem with sls

[robertogallea]

Hi, I am using SLO against Shibboleth IDP, I Initiate SLO by making a request to $idp_host . '/idp/profile/Logout', When the IDP propagates SLO to all of the SPs, the /sls route is notified, the LogoutEvent is launched (and listened) correctly, however neither the user get cleared nor the IDP receives a success for the logout.

From the logs, I noticed that the SP with laravel-saml2 has the Location header in the response is https://myidp/idp/profile/Logout/...... while the other one has https://myidp/idp/profile/SAML2/Redirect/SLO/...

From your code I saw that this is coded from the configuration as $idpData['singleLogoutService'] which is the same used for initiating SLO, and this is not true, at least for Shibboleth IDP. In addition, even if I change it manually from return $this->redirectTo($sloUrl, $parameters, $stay); to return $this->redirectTo('https://myidp/idp/profile/SAML2/Redirect/SLO', $parameters, $stay); it does not work.

Am I missing something? Any cues?

Thank you very much.

[liweiyi88]

In your Idp settings, use https://sp/saml2/sls instead of https://sp/saml2/logout to receive the response from your Idp.

I would like to give you the context that works for me. Salesforce as the Idp, My laravel app as the SP.

In Salesforce, SAML Service Provider Settings -> Single Logout URL, I specified https://[my-app]/saml2/sls.

[robertogallea]

Hi, thank you for your response. In my metadata I already instruct the IDP (Shibboleth) to use sls route, but it does not work.

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp/saml2/sls" />

[omitobi]

@robertogallea I also encountered issue with SLO - My conclusion was that my IdP does not allow SLO request, therefore I dropped SLO (I still feel this might not be true though). I read some articles detailing the caveats with implementing SLO. But just in case you find solution to this, kindly reply here. Thank you.