SLO not Working for CRM Application
search cancel

SLO not Working for CRM Application


Article ID: 192667


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER


Customer has implemented SLO with multiple SP partners, but is getting an error when users attempt to log out of the CRM application via SP-initiated SLO.  SM is throwing an error when it receives the request from the SP.


Release : ALL

Component : FEDERATION


The SLO request was not signed, thus SM was rejecting the request.  Per the SAML spec, all SLO requests must be signed when presented via POST or Redirect bindings:

It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3] or TLS 1.0 [RFC2246] to maintain confidentiality and message integrity. The message MUST be signed if the HTTP POST or Redirect binding is used. The HTTP Artifact binding, if used, also provides for an alternate means of authenticating the request issuer when the artifact is dereferenced.



When presented via POST or Redirect binding, SLO requests must be signed.

Additional Information

This is documented on page 35 of the following SAML standards document: