saml icon indicating copy to clipboard operation
saml copied to clipboard
verified publisher icon crewjam

LogoutRequest does not match SAML XML schema

Open alexanderzobnin opened this issue 4 years ago • 1 comments

Hi! We've found an issue related to the single logout feature. When single logout request signed, some identity providers reject it with error (at least, ADFS does this). After some investigations, we've found that XML request does not match SAML XML schema (we checked request with https://www.samltool.com/validate_xml.php). According to the SAML schema (see LogoutRequestType, which based on the RequestAbstractType), the order of elements should be:

Issuer
Signature
NameID 
SessionIndex

But in the Element() function it's different: https://github.com/crewjam/saml/blob/29c6295245bda6b40d9efb1dddaf7670ed782cb0/schema.go#L73-L84

So I basically suggest to swap Signature and NameID elements to make logout request matching SAML schema.

if r.Issuer != nil {
	el.AddChild(r.Issuer.Element())
}
if r.Signature != nil {
	el.AddChild(r.Signature)
}
if r.NameID != nil {
	el.AddChild(r.NameID.Element())
}

alexanderzobnin avatar Aug 19 '21 16:08 alexanderzobnin

A PR would be most welcome. :)

crewjam avatar Dec 24 '21 14:12 crewjam