Issue:
Initiating a logout request results in a 500 error on the IDP side:
FWSTrace:
Transaction with ID: 1587dbc0-8f814ebb-45de0133-7d4252db-fe98ae4a-477 failed. Reason: SLO_GET_EXCEPTION
Policy Server Trace:
[SingleLogoutTunnelServiceHandler.java][tunnelHandler][a962c4e5-cd7d6b26-f3613d82-6597db9f-de3d1ad1-7]][javax.xml.bind.UnmarshalException: Unexpected end of element {urn:oasis:names:tc:SAML:2.0:protocol}:LogoutRequest
Environment:
Policy Server: R12.52 and above
Cause:
NameID parameter is missing in the SLO Request
Resolution:
Per the SAML specifications, NameID is a required parameter in the SLO Request. The NameID should look like:
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">Robm</ns2:NameID>
Make sure the SP or the IDP (whoever initiates the SLO Request) includes all required parameters in it.
Additional Information:
SAML specifications for SLO Requests on page 60:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf