By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
This fixes checking for signed LogoutResponse during SLO scenarios when the app posts the response via POST. In such situation the code was still trying to load the signature from query and was failing to do so.
Testing
Set up SAML SLO with 2 applications:
Set up applications in Auth0 with SLO configured and a custom signing certificate as per docs page.
Set up two applications to sign their requests with a self-signed certificate.
Set up the applications to send their requests via POST, but leave the settings on Auth0 side by default (which would use Redirect to send the responses to the apps - note that mixed bindings are fully allowed by the spec).
Log into both applications.
Initiate a Single Log Out.
Expected results after this PR:
The SLO should complete and it should be visible in browser dev tools that the app sends signed responses across all SAML requests.
Actual results before this PR:
The second session participant app LogoutResults fails the verification on the IDP side (this lib).
[x] This change adds test coverage for new/changed/fixed functionality
Checklist
[x] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
[x] All active GitHub checks for tests, formatting, and security are passing
[x] The correct base branch is being used, if not the default branch
By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
This fixes checking for signed LogoutResponse during SLO scenarios when the app posts the response via POST. In such situation the code was still trying to load the signature from query and was failing to do so.
Testing
Set up SAML SLO with 2 applications:
Expected results after this PR:
The SLO should complete and it should be visible in browser dev tools that the app sends signed responses across all SAML requests.
Actual results before this PR:
The second session participant app LogoutResults fails the verification on the IDP side (this lib).
Checklist