SLO not Working for CRM Application

book

Article ID: 192667

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Customer has implemented SLO with multiple SP partners, but is getting an error when users attempt to log out of the CRM application via SP-initiated SLO.  SM is throwing an error when it receives the request from the SP.

Cause

The SLO request was not signed, thus SM was rejecting the request.  Per the SAML spec, all SLO requests must be signed when presented via POST or Redirect bindings:

It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3] or TLS 1.0 [RFC2246] to maintain confidentiality and message integrity. The message MUST be signed if the HTTP POST or Redirect binding is used. The HTTP Artifact binding, if used, also provides for an alternate means of authenticating the request issuer when the artifact is dereferenced.

 

Environment

Release : ALL

Component : FEDERATION

Resolution

When presented via POST or Redirect binding, SLO requests must be signed.

Additional Information

This is documented on page 35 of the following SAML standards document:
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf