Request Denied on SOAP SLO request on IDP
When SP do an SOAP SLO request on IDP, I have this debug trace:
SP side: {quote} [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Use method SOAP with IDP lemonldapng-vm2 for SLO profile [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Set 7b3dba313cd02d3e1ce02955774a59a5 in RelayState [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Logout request created [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Keep request ID _9C33E765434194C44E4D3187D5019E9B in assertion session adbad1925ba4ad4133e020aa60a3919e [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Send SOAP message <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutRequest ID="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:37Z" Destination="http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP">saml:Issuerhttp://auth.example.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nn8YveIW+A6qRSrUTp5zS9joVCDs=\n\n\nsuV+p6x6PfIolKlyEvzhWdkT8me4fqXA8nNGOlBT0aYf4wKk5cI9L2i768/AXEOg\nGL38rQwqnFeQq6/xal2wEg==\n<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">coudot@linagora.com</saml:NameID>samlp:SessionIndexf5+Ke/5WbO1QKLlbTDdL9o41vrt6jZ/Gs6v+WAuJt9VjuIc3U79JqPGFgRlppaK8</samlp:SessionIndex></samlp:LogoutRequest></s:Body></s:Envelope> to http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Get response <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutResponse ID="_FC7174C22CE3E06365A8A41C918B1830" InResponseTo="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:35Z">saml:Issuerhttp://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nm2xwXkyGR2iMIg0FW6xupbfzmVA=\n\n\nbWrwGnVIYPz69AhUge6LvNwPw0PhfxbWEpJ/xc0CAwdTclX/KkPDewaRVB+DkHtk\njX1qcqz9NCTxZuQ06LATpQ9pDkmrjXCS9/6DkNHXeCiwlfabowUKuzxdrFdIVCTE\na6xDOvi9lqEBT0vviZS5CejjsuzyRoSIq/DM+gYfE+8=\nsamlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:LogoutResponse></s:Body></s:Envelope> [Mon May 31 16:28:37 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Lasso error code 302: Request denied by identity provider [Mon May 31 16:28:37 2010] [error] Fail to process logout response {quote}
IDP side: {quote} [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP detected as an SLO URL [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-SOAP [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: HTTP-SOAP: SAML Request <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutRequest ID="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:37Z" Destination="http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP">saml:Issuerhttp://auth.example.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nn8YveIW+A6qRSrUTp5zS9joVCDs=\n\n\nsuV+p6x6PfIolKlyEvzhWdkT8me4fqXA8nNGOlBT0aYf4wKk5cI9L2i768/AXEOg\nGL38rQwqnFeQq6/xal2wEg==\n<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">coudot@linagora.com</saml:NameID>samlp:SessionIndexf5+Ke/5WbO1QKLlbTDdL9o41vrt6jZ/Gs6v+WAuJt9VjuIc3U79JqPGFgRlppaK8</samlp:SessionIndex></samlp:LogoutRequest></s:Body></s:Envelope> [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SLO: Logout request is valid [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Found entityID http://auth.example.com/saml/metadata in SAML message [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: http://auth.example.com/saml/metadata match coudot SP in configuration [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Signature is valid [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Destination http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP found in SAML message [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: Destination match URL http://auth.vm2.lemonsaml.linagora.com/saml/singleLogoutSOAP [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: SOAP response <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsutil="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Body wsutil:Id=""><samlp:LogoutResponse ID="_FC7174C22CE3E06365A8A41C918B1830" InResponseTo="_9C33E765434194C44E4D3187D5019E9B" Version="2.0" IssueInstant="2010-05-31T14:28:35Z">saml:Issuerhttp://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer>\n\n\n\n\n\n\n\n\n\nm2xwXkyGR2iMIg0FW6xupbfzmVA=\n\n\nbWrwGnVIYPz69AhUge6LvNwPw0PhfxbWEpJ/xc0CAwdTclX/KkPDewaRVB+DkHtk\njX1qcqz9NCTxZuQ06LATpQ9pDkmrjXCS9/6DkNHXeCiwlfabowUKuzxdrFdIVCTE\na6xDOvi9lqEBT0vviZS5CejjsuzyRoSIq/DM+gYfE+8=\nsamlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:LogoutResponse></s:Body></s:Envelope> [Mon May 31 16:28:35 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub returnSOAPMessage {quote}