SAML Logout Response does not get signed when using the IDP intiated login and SP initiated logout

[deshankoswatte]

Describe the issue:

When a SAML flow is executed with IDP initiated login and SP initiated logout, the SAML Logout Response does not get signed even if it is marked to be signed in the service provider configurations.

How to reproduce:

• Configure a SAML application in the WSO2 Identity Server. With configurations such as follows.

• Execute an IDP initiated SAML flow with a URL such as the follows. With the SAML trace enabled.

https://localhost:9443/samlsso?spEntityID=saml2-web-app-pickup-manager.com

• Perform the logout from the application and observe the SAML Response received at the applications end. The response is not signed as follows.

<saml2p:LogoutResponse Destination="http://localhost.com:8080/saml2-web-app-pickup-manager.com/home.jsp"
                       ID="_c407ef962a18eab80e21b6b7ad8ffe1d"
                       InResponseTo="gdckoagnpekmnbnpdmalggnablgggnfgedlgihll"
                       IssueInstant="2023-07-07T08:56:25.558Z"
                       Version="2.0"
                       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                       >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >localhost</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
</saml2p:LogoutResponse>

This is because we have missed to set the doSignResponse parameter at [1]. This should get fixed if we include the section spDO.setDoSignResponse(authnReqDTO.isDoSignResponse()) at [1].

[1] - https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/v5.8.19/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java#L125-L143

Expected behavior:

The logout request should be signed because the configuration is set to do so and the Logout response should look similar to the below.

<saml2p:LogoutResponse Destination="http://localhost.com:8080/saml2-web-app-pickup-manager.com/home.jsp"
                       ID="_ed04632c6301f27651a4ebe655c53b0f"
                       InResponseTo="kbgjdbihfnllnnfbakhpkpbjjkpcpcibggnhplop"
                       IssueInstant="2023-07-07T08:58:15.590Z"
                       Version="2.0"
                       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                       >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >localhost</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_ed04632c6301f27651a4ebe655c53b0f">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>TKgA/BPkQN4Ak2H/j31XSUdRoUk=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Cn7bDywDHMdqrn/poyRyAoNC4RMinpI5ufTKOG7ZmOF5qki0Hgb/QPLBSYuGSio/CnfRmmavz1Po2psLd1v1OJl6XZuCkrAk8mhgltZGMEieVA8pMJvWXKXA7fH/piOMtSeNF6I/eIxG+cTlEZ1JvYxCZb1g2Ml4mDVpbGLm1vbzVW1Wv8rxT7+upxQmFUe8Z9gri++21QEPb66oJ196xvSSljrv/QdxVhmHSBLC7KM60n5Abo2KZzDCQKfj3qJfw+G+Xs7+Y7nZYloG6zAIICfTXjehUQ9gE/OfiW5CJf5zjY4OZVcgGva2S/aFVM5AdNJJ6s60wKttfhQxfCit0g==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDqTCCApGgAwIBAgIEXbABozANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxDTALBgNVBAsMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xOTEwMjMwNzMwNDNaFw0yMjAxMjUwNzMwNDNaMGQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjENMAsGA1UECwwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxeqoZYbQ/Sr8DOFQ+/qbEbCp6Vzb5hzH7oa3hf2FZxRKF0H6b8COMzz8+0mvEdYVvb/31jMEL2CIQhkQRol1IruD6nBOmkjuXJSBficklMaJZORhuCrB4roHxzoG19aWmscA0gnfBKo2oGXSjJmnZxIh+2X6syHCfyMZZ00LzDyrgoXWQXyFvCA2ax54s7sKiHOM3P4A9W4QUwmoEi4HQmPgJjIM4eGVPh0GtIANN+BOQ1KkUI7OzteHCTLu3VjxM0sw8QRayZdhniPF+U9n3fa1mO4KLBsW4mDLjg8R/JuAGTX/SEEGj0B5HWQAP6myxKFz2xwDaCGvT+rdvkktOwIDAQABo2MwYTAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFEDpLB4PDgzsdxD2FV3rVnOr/A0DMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNVHQ8EBAMCBPAwDQYJKoZIhvcNAQELBQADggEBAE8H/axAgXjt93HGCYGumULW2lKkgqEvXryP2QkRpbyQSsTYcL7ZLSVB7MVVHtIsHh8f1C4Xq6Qu8NUrqu5ZLC1pUByaqR2ZIzcj/OWLGYRjSTHSVmVIq9QqBq1j7r6f3BWqaOIiknmTzEuqIVlOTY0gO+SHdS62vr2FCz4yOrBEulGAvomsU8sqg4PhFnkhxI4M912Ly+2RgN9L7AkhzK+EzXY1/QtlI/VysNfS6zrHasKz6CrKKCGqQnBnSvSTyF9OR5KFHnkAwE995IZrcSQicMxsLhTMUHDLQ/gRyy7V/ZpDMfAWR+5OeQiNAp/bG4fjJoTdoqkul51+2bHHVrU=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
</saml2p:LogoutResponse>

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: IS 5.11.0.240
• OS: Ubuntu 20.04.3 LTS
• Database: H2
• Userstore: LDAP

---

[ImalshaG]

Closing this as the update is released.