By: David van Hoose named 29 Sep 2020 at 1:11 p.m. CDT

21 Responses
David van Hoose gravatar
On two of our three Gluu servers, the SAML2Logout profile is missing from relying party configuration. One of them was upgraded from 3.1.5 and the other from 3.1.6. The one, that has the SAML2Logout profile, was upgraded from 3.1.6. All three were upgraded to 3.1.7. Why is the SAML2Logout profile missing and how can we fix this?

By Aliaksandr Samuseu staff 29 Sep 2020 at 5:05 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, David. That's strange, thanks for letting us know. @Mustafa.Baser , any ideas why this could happen? Assuming all of the servers have oxTrust version 3.1.7 after upgrade, web UI should be identical for them, shouldn't it?

By Aliaksandr Samuseu staff 29 Sep 2020 at 5:07 p.m. CDT

Aliaksandr Samuseu gravatar
Just to be sure we don't miss something: what upgrade methods did you use for each of the server, David? Ideally, could you provide direct link to each doc you followed, for each of the servers?

By Kevin Fletcher named 29 Sep 2020 at 9:43 p.m. CDT

Kevin Fletcher gravatar
The upgrades were performed using the documentation on the Gluu website. https://gluu.org/docs/gluu-server/3.1.7/upgrade/#upgrade-from-31x-to-317 Thanks, Kevin

By Mohib Zico Account Admin 29 Sep 2020 at 10:17 p.m. CDT

Mohib Zico gravatar
Hi, If I remember correctly, it has to be added 'manually'. Proper SLO feature is wokring in 4.x, honestly speaking. But I'll share the workaround with you. Assigning to me.

By Devrim Yatar staff 30 Sep 2020 at 4:21 a.m. CDT

Devrim Yatar gravatar
I am not sure why it happened.

By David van Hoose named 30 Sep 2020 at 7:39 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, we didn't do anything to make it available on the server it is working on. It was supposed to be included starting with 3.1.6, but one of the servers started at 3.1.6. I checked the Shibboleth files and they are all the same between the broken and working instances. I hope your workaround works, because I really do not want to reinstall 3.x servers while we wait for the 4.x installers to be fixed.

By Mohib Zico Account Admin 03 Oct 2020 at 1:09 a.m. CDT

Mohib Zico gravatar
Hi David, Yes, Seems like without any SAML2Logout profile ( relying party ), SLO is working perfectly in both 3.1.6 and 3.1.7. I'll try to upgrade this 3.1.6 to 3.1.7 and see how things go. Thanks!

By Mohib Zico Account Admin 03 Oct 2020 at 8:16 a.m. CDT

Mohib Zico gravatar
David, I am sorry.... I couldn't reproduce the issue. After upgrading a 3.1.6 to 3.1.7, I am getting SAML2Logout profile in RP config. Screenshot attached.

By David van Hoose named 05 Oct 2020 at 7:25 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, were you able to find your workaround?

By Mohib Zico Account Admin 05 Oct 2020 at 7:36 a.m. CDT

Mohib Zico gravatar
Sorry.. I think my last statement wasn't clear enough.... I tried to upgrade a 3.1.6 to 3.1.7 and couldn't reproduce the problem you faced. SAML2Logout profile created automatically after upgrade in 3.1.7.

By David van Hoose named 05 Oct 2020 at 7:37 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, how do I manually add it to oxTrust?

By Mohib Zico Account Admin 05 Oct 2020 at 7:55 a.m. CDT

Mohib Zico gravatar
Please take a look at [this](https://gist.github.com/mzico/f18e60a78e8081590875c81c961c4ef9). I think I wrote it some months ago ( or one year ago I guess ). Sorry but not sure how effective it might be.

By David van Hoose named 05 Oct 2020 at 8:17 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, I will look speaking of SSO logout, what does the SP Logout URL option do? I did some experimentation, but could not figure it out. The documentation does not even list it.

By Mohib Zico Account Admin 05 Oct 2020 at 8:38 a.m. CDT

Mohib Zico gravatar
>> what does the SP Logout URL option do? I did some experimentation, but could not figure it out. Me neither... :-) Most probably it's some kind of half done project. I haven't had chance to use that in prod.

By Mohib Zico Account Admin 12 Oct 2020 at 11:32 p.m. CDT

Mohib Zico gravatar
Hi David, Is there anything else we can assist you here in this ticket? Thanks!

By David van Hoose named 13 Oct 2020 at 9:29 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, I went through the instructions, but we don't have *oxAuthLogoutURI* and *oxAuthPostLogoutRedirectURI* in the oxTrust JSON configuration.

By Mohib Zico Account Admin 13 Oct 2020 at 10:06 a.m. CDT

Mohib Zico gravatar
>> but we don't have oxAuthLogoutURI and oxAuthPostLogoutRedirectURI in the oxTrust JSON configuration. Correct. [This section](https://gist.github.com/mzico/f18e60a78e8081590875c81c961c4ef9#ldap-configuration) actually means, you have to log into Gluu Server's LDAP and add these entries _manually_ in those two clients. Apologies for lack of description.

By David van Hoose named 13 Oct 2020 at 10:13 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, I will try that when I return from vacation on Monday, October 19th.

By Mohib Zico Account Admin 13 Oct 2020 at 11:10 a.m. CDT

Mohib Zico gravatar
Sounds good. Will keep ticket idle for two weeks then. Have a great vacation!

By David van Hoose named 20 Oct 2020 at 9:19 a.m. CDT

David van Hoose gravatar
@Mohib.Zico, the issue was that the SAML2LogoutProfileConfiguration.xml.vm file was missing. Everything else was already there. No service restarts were needed after adding the file. I am closing this issue as resolved. Thank you for your assistance! I never would have thought to look in the oxtrust jetty directory for that file. I was only comparing the Shibboleth directories.

By Mohib Zico Account Admin 22 Oct 2020 at 12:10 a.m. CDT

Mohib Zico gravatar
Thanks, David!