Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
lemonldap-ng
lemonldap-ng
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 260
    • Issues 260
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 6
    • Merge Requests 6
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #1326

Closed
Open
Opened Nov 02, 2017 by Clément OUDOT@clement_oudotOwner

SessionIndex should not be mandatory in SAML SingleLogoutRequest

In our SAML IDP code, we require the SessionIndex in SLO request to make the full logout:

            # Get session index
            my $session_index;
            eval { $session_index = $logout->request()->SessionIndex; };

            # SLO requests without session index are not accepted
            if ( $@ or !defined $session_index ) {
                $self->lmLog(
                    "No session index in SLO request from $spConfKey SP",
                    'error' );
                return $self->sendSLOErrorResponse( $logout, $method );

Reading SAML specifications, this attribute is optional (saml-core-20-os.pdf, chapter 3.7.1):

<SessionIndex> [Optional]
The identifier that indexes this session at the message recipient.

So we should be able to accept these SLO request, and see how a logout is possible without the SessionIndex. This can be an option to activate per SAML SP.

Edited Nov 16, 2017 by Clément OUDOT
Assignee
Assign to
1.9.14
Milestone
1.9.14 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: lemonldap-ng/lemonldap-ng#1326