SAML specification says next "The message MUST be signed if the HTTP POST or Redirect binding is used." and the same for LogoutResponse. But when I look for settings in different identity providers(onelogin, auth0, duo, Azure AD) I see that they doesn't require certificate from service providers for single logout(I find only one exception and it's okta). Probably I don't understand conception or miss something and ask you community of stackowerflow to help me with this situation.
Asked
Active
Viewed 67 times
1 Answers
0
Your understanding is correct. The SAML specifications states SAML logout messages must be signed. However, not all SAML providers support SAML logout and, of those that do, not all support signing the SAML logout messages. If a logout message isn't signed this means a 3rd party could cause logout to occur. This would be a nuisance but I'm not sure if it's a security risk. If you're looking for maximum interoperability I recommend the signing of SAML logout messages to be configurable so you can vary the behavior depending on the partner provider.
ComponentSpace
- 1,287
- 6
- 9