Symantec Access Management

Hi All,

We have Integrated Siteminder as IDP with Shibboleth as SP, and its working as expected. However, we are facing issues when logging out, the log out process stops by displaying an error on the screen, "An error occurred during the logout process. Please close your browser".

When I saw the SAML tracer, the request is reaching Siteminder's 'saml2slo' and its getting stopped.

The error message in the log was "[SLOService.java][handleLogoutFailure][Signature is invalid on an SLO message. Session ID: ****************************** Issuer: SP:ShibSP]"

We did not understand, why the signature is invalid on SLO?

Please share your thoughts here.

Thank you,

Sandeep.

Don't have any specific words of wisdom...other than making sure right cert/key combos are used . Just wanted to point to this thread where I'm having issues with authnrequest signing with SiteMinder as well.

Authnrequest signing fails for some...anyone seen this?

Still haven't figured it out yet. But same SP going to other non-SiteMinder IdP works perfect.

Not sure if there's some broader signature validation issues or what. But in our testing it only happens on HTTP-Redirect. An HTTP-POST request validates the signature fine. Might be worth seeing if this behaves the same?

We have made sure that the cert/key are the correct ones, and there is no issue at all while logging in. It logs in perfectly.

Before integrating the App with Siteminder the same SP worked well with Shibboleth IDP.

we are using HTTP-POST SSO binding for login (which validates the signature fine) and HTTP-Redirect binding for logout (here we get the error as stated above). If this is really an issue with HTTP-Redirect, then do we have any work around..?

Have you tried HTTP-POST for the SLO to see if it's the same scenario (i.e., POST works but Redirect fails)?

I haven't spent much time on this issue yet but as of current no resolution for our authnrequest signing problem. It doesn't seem to be consistent because some work and some don't. Unfortunately it's also that these same ones work with other IdP setups but not SiteMinder (which from my experience is overall largely buggy).

I'm thinking how do you POST for SLO...! however there is no option for HTTP-POST binding in Siteminder to verify if that works.

Sorry, just saw this update. At least in my SiteMinder IdP I have setup I see the following options for SLO:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myidp.com/affwebservices/public/saml2slo"/>

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myidp.com/affwebservices/public/saml2slo"/>

When you export the metadata, there's option for which Bindings to include for it. Make sure that HTTP-POST is there along with HTTP-Redirect. Then just have the SLO request try the POST.

Hey,

After all the hard work, I have fixed this issue with HTTP-Redirect as the binding.

The issue was with certificate. When I have uploaded the correct certificate at Shibboleth side and applied the same cert for Signature Processing in Siteminder, then it successfully logged out without any error.

Regards,

Sandeep.

I seems to be struggling with the same issue. I use CA SSO Admin UI to generate SP certificate, then I export it and put in my OneLogin handcrafted SP and this is failing with the same error. Would you point me to what was wrong with your certyficate?