By: Ramesh Babu user 19 Jul 2017 at 1:27 a.m. CDT

3 Responses
Ramesh Babu gravatar
How to handle SAML single logout

By Mohib Zico Account Admin 19 Jul 2017 at 1:44 a.m. CDT

Mohib Zico gravatar
Please check doc first. Then try them by yourself and then open ticket with: - which doc you tried. - search for other support tickets on same issue? - what problem you are facing. - share log of errors.

By Ramesh Babu user 21 Jul 2017 at 12:10 a.m. CDT

Ramesh Babu gravatar
Hi I followed the below URL for establishing the Trust Relationship with the SP using SAML configuration SP redirects to the Gluu page authentication successful and Gluu redirects back to the SP home page. Now the problem i am facing is when logging out from the SP the Gluu IDP doesn't send response and logout is not happening in both IDP and SP. How to configure SAML response for SLO ** > **SP metadata file**** <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="pentaho" entityID="pentaho"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIDPzCCAiegAwIBAgIEDPpzyTANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwI5MTELMAkGA1UE CBMCVE4xCzAJBgNVBAcTAkNIMQwwCgYDVQQKEwNUUFQxDDAKBgNVBAsTA0JEQTELMAkGA1UEAxMC VFAwHhcNMTcwNjIyMTEzMDU2WhcNMTcwOTIwMTEzMDU2WjBQMQswCQYDVQQGEwI5MTELMAkGA1UE CBMCVE4xCzAJBgNVBAcTAkNIMQwwCgYDVQQKEwNUUFQxDDAKBgNVBAsTA0JEQTELMAkGA1UEAxMC VFAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVWKmbpwSX5t2E7n8gu8lu7LPZMw+f QEh5zuEJsKPTn5t+k6Ti7XLnYbwdWCtc3mPZ6x6NUm1b1FMOK9a/tgEX2SCpqpmh+mV9XlNmZVHd fWNmVNYmgwVU9KxkTwZNiV5R9Xb1Xsm064adH9jEh7C/31lmkgkrSL0wprjaCrrGpWgjXviTocVY glyfaczxsMM3nIbi3kP7Tt0FEyW7ZEyOxiJCZZXhvF9lglf3sN0si7Z+wJBMOgdeiMFr7VYAzmLJ OIa+MYk0L0WPyK30xgQPAN3lAQxzmh6FEl5auxCzvM/cvgvnIFvUZX/pGXXOxyRRg1ExoTSMA9J5 7evg/adnAgMBAAGjITAfMB0GA1UdDgQWBBQZXfeOiYBo6NgSVajwYj+lRBHFmzANBgkqhkiG9w0B AQsFAAOCAQEASQqXLtnwbQE85HUPkuFVBD9NBJn13ZTruHTqmAG4EFBGKAzyupL4pcFjxVt8KnfH fCu9Qsh68o1IO8Om0jxhWrM+HnnuKhU2pJYOytXe8Kn2Fy9zKNw6oOxZW8vlH25GLt1HH4QlO/xM rmw1Ok5SqjsTscs9ulhnCvLKOWrTHOkL+r0ECqdnBi3pzX5o+QImI06ZneZyHfnuXeJKczwJ7Nbw t+9Swt7BH+zB3lmFhc4cPDmWCe/zOxxik9tdfNXpu4ngVHjUR88wsRWzm/XYPMmtQSRzubIwXFPy CT0Ok7s6hzYVshU4rcNaX8aMQLLXZQm2j27DZeT7k68L46dl7w== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIDPzCCAiegAwIBAgIEDPpzyTANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwI5MTELMAkGA1UE CBMCVE4xCzAJBgNVBAcTAkNIMQwwCgYDVQQKEwNUUFQxDDAKBgNVBAsTA0JEQTELMAkGA1UEAxMC VFAwHhcNMTcwNjIyMTEzMDU2WhcNMTcwOTIwMTEzMDU2WjBQMQswCQYDVQQGEwI5MTELMAkGA1UE CBMCVE4xCzAJBgNVBAcTAkNIMQwwCgYDVQQKEwNUUFQxDDAKBgNVBAsTA0JEQTELMAkGA1UEAxMC VFAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVWKmbpwSX5t2E7n8gu8lu7LPZMw+f QEh5zuEJsKPTn5t+k6Ti7XLnYbwdWCtc3mPZ6x6NUm1b1FMOK9a/tgEX2SCpqpmh+mV9XlNmZVHd fWNmVNYmgwVU9KxkTwZNiV5R9Xb1Xsm064adH9jEh7C/31lmkgkrSL0wprjaCrrGpWgjXviTocVY glyfaczxsMM3nIbi3kP7Tt0FEyW7ZEyOxiJCZZXhvF9lglf3sN0si7Z+wJBMOgdeiMFr7VYAzmLJ OIa+MYk0L0WPyK30xgQPAN3lAQxzmh6FEl5auxCzvM/cvgvnIFvUZX/pGXXOxyRRg1ExoTSMA9J5 7evg/adnAgMBAAGjITAfMB0GA1UdDgQWBBQZXfeOiYBo6NgSVajwYj+lRBHFmzANBgkqhkiG9w0B AQsFAAOCAQEASQqXLtnwbQE85HUPkuFVBD9NBJn13ZTruHTqmAG4EFBGKAzyupL4pcFjxVt8KnfH fCu9Qsh68o1IO8Om0jxhWrM+HnnuKhU2pJYOytXe8Kn2Fy9zKNw6oOxZW8vlH25GLt1HH4QlO/xM rmw1Ok5SqjsTscs9ulhnCvLKOWrTHOkL+r0ECqdnBi3pzX5o+QImI06ZneZyHfnuXeJKczwJ7Nbw t+9Swt7BH+zB3lmFhc4cPDmWCe/zOxxik9tdfNXpu4ngVHjUR88wsRWzm/XYPMmtQSRzubIwXFPy CT0Ok7s6hzYVshU4rcNaX8aMQLLXZQm2j27DZeT7k68L46dl7w== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://192.168.0.237:8443/pentaho/saml/SingleLogout"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://192.168.0.237:8443/pentaho/saml/SingleLogout"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://192.168.0.237:8443/pentaho/saml/SSO" index="0" isDefault="true"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://192.168.0.237:8443/pentaho/saml/SSO" index="1"/> </md:SPSSODescriptor> </md:EntityDescriptor> **> IDP metadata file** <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://tpgluuserver.org/idp/shibboleth"> <IDPSSODescriptor errorURL="https://tpgluuserver.org/identity/feedback.htm" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">tpgluuserver.org</shibmd:Scope> </Extensions> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDdDCCAlwCCQCJw5off+VA2DANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJp bjELMAkGA1UECAwCdG4xEDAOBgNVBAcMB2NoZW5uYWkxDDAKBgNVBAoMA3RwdDEZ MBcGA1UEAwwQdHBnbHV1c2VydmVyLm9yZzElMCMGCSqGSIb3DQEJARYWcy5qb2hu LmJvc2NvQGdtYWlsLmNvbTAeFw0xNzA2MjExMjM3MzNaFw0xODA2MjExMjM3MzNa MHwxCzAJBgNVBAYTAmluMQswCQYDVQQIDAJ0bjEQMA4GA1UEBwwHY2hlbm5haTEM MAoGA1UECgwDdHB0MRkwFwYDVQQDDBB0cGdsdXVzZXJ2ZXIub3JnMSUwIwYJKoZI hvcNAQkBFhZzLmpvaG4uYm9zY29AZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAvUwdjh6urEEej1a1ND46AvaexI9uGI+QssiDwlD0j5Jc ikf3d4ZhD11lEd7lHBJ/gHeZKKO30txYL41yVhpE4MeTvc+zfZC2Sjr/tTvvn87l nMPkWiaHA5eIF3tIPBXNvdY4oVqyvFgP/ndl/Cmj2IX/kkeo/6yKTcTXpLSt2VMj fR+mmV25E/5PNPKfreQINJ6XxAVtHpEZXZ3GDWy5Ymwb0nYDyTb5DFW3uXBqv51N LR43aXxCVDpy2hKamqSGj3ZxLH/jT/ALK73RPFXJ0LZvR0v35C7rVIyYUAxghEfw HO54gtZwNxN6HFvJUYEu2NW6SDhyiFi1pL8bNt0AmQIDAQABMA0GCSqGSIb3DQEB CwUAA4IBAQALJjbRWwHmiFlE2ARh3kIjZ8g+lSkhuqU6RQ679q41LQmGyN16d6kK I1VFafGJjOltxognYcXWwz3NcXTw4WnM3IZP+bbQBA1CGrLd2Ys4TZJygLut68Yo PzIwZTYrcPbue1p271z8gm9LDjWJuw22uWh9JxvfZqL8IwUyUNgUt/bUfdbQ4/me yMwXIbhRNWv7ROv2UelmPop1N9aGE2+v5ZCECXGByeOqcBXnQiN/pa5X3y9TMUXq QyQ/td/lzPOyR+Y4bPWKFEuXci1pHYN/iPSBaWDQgZpfuiSoEFzi76msuyHdykdZ UB0JiRKAPRlE5CQPuOBiC5Trj9cXV/pc </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://tpgluuserver.org:9443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://tpgluuserver.org:9443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://tpgluuserver.org/idp/logout.jsp"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://tpgluuserver.org/idp/profile/Shibboleth/SSO"/> <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" Location="https://tpgluuserver.org/idp/profile/SAML2/Unsolicited/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tpgluuserver.org/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://tpgluuserver.org/idp/profile/SAML2/POST-SimpleSign/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://tpgluuserver.org/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">tpgluuserver.org</shibmd:Scope> </Extensions> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDdDCCAlwCCQCJw5off+VA2DANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJp bjELMAkGA1UECAwCdG4xEDAOBgNVBAcMB2NoZW5uYWkxDDAKBgNVBAoMA3RwdDEZ MBcGA1UEAwwQdHBnbHV1c2VydmVyLm9yZzElMCMGCSqGSIb3DQEJARYWcy5qb2hu LmJvc2NvQGdtYWlsLmNvbTAeFw0xNzA2MjExMjM3MzNaFw0xODA2MjExMjM3MzNa MHwxCzAJBgNVBAYTAmluMQswCQYDVQQIDAJ0bjEQMA4GA1UEBwwHY2hlbm5haTEM MAoGA1UECgwDdHB0MRkwFwYDVQQDDBB0cGdsdXVzZXJ2ZXIub3JnMSUwIwYJKoZI hvcNAQkBFhZzLmpvaG4uYm9zY29AZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAvUwdjh6urEEej1a1ND46AvaexI9uGI+QssiDwlD0j5Jc ikf3d4ZhD11lEd7lHBJ/gHeZKKO30txYL41yVhpE4MeTvc+zfZC2Sjr/tTvvn87l nMPkWiaHA5eIF3tIPBXNvdY4oVqyvFgP/ndl/Cmj2IX/kkeo/6yKTcTXpLSt2VMj fR+mmV25E/5PNPKfreQINJ6XxAVtHpEZXZ3GDWy5Ymwb0nYDyTb5DFW3uXBqv51N LR43aXxCVDpy2hKamqSGj3ZxLH/jT/ALK73RPFXJ0LZvR0v35C7rVIyYUAxghEfw HO54gtZwNxN6HFvJUYEu2NW6SDhyiFi1pL8bNt0AmQIDAQABMA0GCSqGSIb3DQEB CwUAA4IBAQALJjbRWwHmiFlE2ARh3kIjZ8g+lSkhuqU6RQ679q41LQmGyN16d6kK I1VFafGJjOltxognYcXWwz3NcXTw4WnM3IZP+bbQBA1CGrLd2Ys4TZJygLut68Yo PzIwZTYrcPbue1p271z8gm9LDjWJuw22uWh9JxvfZqL8IwUyUNgUt/bUfdbQ4/me yMwXIbhRNWv7ROv2UelmPop1N9aGE2+v5ZCECXGByeOqcBXnQiN/pa5X3y9TMUXq QyQ/td/lzPOyR+Y4bPWKFEuXci1pHYN/iPSBaWDQgZpfuiSoEFzi76msuyHdykdZ UB0JiRKAPRlE5CQPuOBiC5Trj9cXV/pc </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://tpgluuserver.org:9443/idp/profile/SAML1/SOAP/AttributeQuery"/> <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://tpgluuserver.org:9443/idp/profile/SAML2/SOAP/AttributeQuery"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> </AttributeAuthorityDescriptor> </EntityDescriptor>

By Aliaksandr Samuseu staff 21 Jul 2017 at 1:51 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Ramesh. Please check the [logout doc](https://gluu.org/docs/ce/3.0.2/operation/logout/#saml-logout). Gluu won't send you back to SP. Instead, SP needs to logout user first itself, then send him to `https://<hostname>/idp/logout.jsp` url to kill his session at Gluu too.