pitbulk
commented
1 year ago When the SAMLResponse sent by the IdP was not specified, then the LogoutRequest should not add any NameId Format at all. This is done due the SAML standard.
Closed hurzhurz closed 1 year ago
pitbulk
commented
1 year ago When the SAMLResponse sent by the IdP was not specified, then the LogoutRequest should not add any NameId Format at all. This is done due the SAML standard.
If the NameID format is "unspecified", it is omitted in the SLO request because of this: https://github.com/onelogin/python3-saml/blob/809912de0862dd0e44fcbb11774d8da7b64e3418/src/onelogin/saml2/logout_request.py#L90-L92
This causes the error "SLO request is not valid" in LLNG. The reason is that it expects exactly to see the same NameID format that was specified at the login. See also: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2389
If I comment out the mentioned code lines in logout_request.py, it works fine.