SPNameQualifier not present on single logout requests unless the entity nameid format is used #204
Comments
pitbulk
added a commit
that referenced
this issue
Sep 13, 2017
…fier and SPNameQualifier will be ommited. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added. Update info related to LogoutRequest on the README
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems the commit 9347506 makes the SPNameQualifier optional on logout requests, in fact it always removes the attribute if the namedid is specified, and always insert it when the nameid is not specified.
The SAML2 spec seems to indicate it should always be omitted in the second case, and may be provided in the first case:
8.3.6 Entity Identifier
URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Indicates that the content of the element is the identifier of an entity that provides SAML-based services
(such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service
provider supporting the browser SSO profile). Such an identifier can be used in the element to
identify the issuer of a SAML request, response, or assertion, or within the element to make
assertions about system entities that can issue SAML requests, responses, and assertions. It can also be
used in other elements and attributes whose purpose is to identify a system entity in various protocol
exchanges.
The syntax of such an identifier is a URI of not more than 1024 characters in length. It is
RECOMMENDED that a system entity use a URL containing its own domain name to identify itself.
The NameQualifier, SPNameQualifier, and SPProvidedID attributes MUST be omitted.
Is this commit correct? Maybe the condition has been reversed ?
The text was updated successfully, but these errors were encountered: