I am using wso2is as idp and 2 applications as sp in this setup. one of the applications uses java, spring-security-saml-extension, the other one php and simplesamlphp. SSO is working good, but i cannot get SLO working.
what i do is:
simplesamlphp error message:
SimpleSAML_Error_BadRequest: BADREQUEST('%REASON%' => 'Received message on logout endpoint without issuer.')
saml2 LogoutRequest issued by the idp:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest ID="ljknoccfdhjcgelcpmbicffooeokboficpggcmpi" IssueInstant="2014-04-08T06:45:19.944Z" NotOnOrAfter="2014-04-08T06:50:19.944Z" Reason="urn:oasis:names:tc:SAML:2.0:logout:user" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">EXAMPLE.AT/[email protected]</saml2:NameID>
<saml2p:SessionIndex>5f14fc6e-1c31-42e1-b7c2-e1501bf400a8</saml2p:SessionIndex
</saml2p:LogoutRequest>
The saml2 SLO-Profile specification below clearly states in chapter 4.4.4 on line 1294:
The <Issuer> element MUST be present and MUST contain the unique identifier of the requesting entity
as I understand this the wso2is acting as the Idp should be the Issuer here, but it fails to include its id in the message.
Any hint on what i am doing wrong? i cannot imagine that this is a wso2is bug!
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
As you found in the specification, the Issuer element is mandatory. SP uses it to identify the sender. Without it SP would have to start guessing who sent the message, as it might be connected to many IDPs at the same time. The issue should be reported as a bug to wso.