OpenAm With Redmine cannot logout |HTTP Status 400 - Error processing LogoutRequest. Single Logout Response Service location not found

Question

OpenAM as single sign-on in Redmine is working for me, but I can't sign out from Redmine. This is the error I get:

HTTP Status 400 - Error processing LogoutRequest. Single Logout Response Service location not found.

The config file is:

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "http://xxxxx/redmine/auth/saml/callback", # The redmine application hostname
    :issuer                         => "Redmine",                 # The issuer name
    :idp_sso_target_url             => "http://xxxxxx:8080/openam/SSORedirect/metaAlias/idp1", # SSO login endpoint
    :idp_cert_fingerprint           => "DE:xxxx", # SSO ssl certificate fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
    :signout_url                    => "http://oxxxx:8080/openam/IDPSloPOST/metaAlias/idp1",
    :idp_slo_target_url             => "http://xxxxxx:8080/openam/IDPSloRedirect/metaAlias/idp1",
    :name_identifier_value          => "mail", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.username',
      :firstname  => 'extra.raw_info.first_name',
      :lastname   => 'extra.raw_info.last_name',
      :mail       => 'extra.raw_info.email'
    }

Please help me fix it.

Answer 1

Your ruby app protected by omniauth is not defining any Single Logout Service URL so if there is any SLO flow, the IdP doesn't know where to send the LogoutRequest / LogoutResponse.

ruby-saml defines it as 'assertion_consumer_logout_service_url' or 'single_logout_service_url', and here is how the ruby-saml toolkit process a SLO

Sadly omniauth does not support yet this feature, but there is a PR that you can apply.