1

I am sending a LogoutRequest from SP initiated SLO to IdP. Ping is used as Identity Provider and on Ping I am getting the error which says "Signature Required" while there is a signature in the LogoutRequest. So I found on some research that if Redirect Binding is used Signature should be sent as a query parameter. How do I change the Binding Protocol of LogoutRequest to Http-POST ?

http://idpendppointURL.com/idp/SLO.saml2?SAMLRequest="...."&RelayState="...."

How do I add Signature as Query Parameter when the length of URL is getting really long for REDIRECT binding?

Edited on 12th May 2014 9:54 PM CST

I figured out about adding Signature as a query parameter from Oasis specification SAML SLO specification , but now I get the error "Invalid Signature" from Ping.

yogsma
  • 10,142
  • 31
  • 97
  • 154
  • What product do you use for implementing the SP? – Vladimír Schäfer May 12 '14 at 19:43
  • Not sure if I get what you mean. It's a web application written in Java. – yogsma May 12 '14 at 19:50
  • I'm trying to understand whether your Java application uses some product or library which helps it to create and send the LogoutRequest. Without this information it's impossible to make any advice on how to send the LogoutRequest using a different binding. – Vladimír Schäfer May 12 '14 at 19:55
  • I am creating the LogoutRequest programmatically. – yogsma May 12 '14 at 19:55
  • I resolved this issue. It was issue with the certificate to be used in "Signature Verification Settings" of SP Connection of PING. The certificate to be used should be a public key of the certificate used to sign LogoutRequest – yogsma May 13 '14 at 18:32

1 Answers1

1

You can find all details on how to send messages using different bindings in the SAML 2.0 bindings part of the SAML 2.0 standard.

For details on how to attach signature to a message sent using HTTP-Redirect binding see chapter 3.4.

The supported length of redirect URL is unpredictable and HTTP-Redirect should only be used for relatively small messages. As you need to fit in more data, you'll have to switch to another binding, such as HTTP-POST.

In order to implement the HTTP-POST binding, you will need to change the way your application sends the message by following rules which are again defined in the standard (chapter 3.5).

You might also consider using one of the SAML libraries which simplify the task of implementing SAML 2.0 functionality and include support for all the bindings, such as OpenSAML, Spring SAML, or tools provided by Ping.

The "Invalid Signature" error you're getting means what it says - the signature wasn't correctly constructed. If you want to write the signature creation from scratch, make sure to follow the instructions exactly as defined in the standard, any small mistake will make your implementation invalid.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71