Hi MacRae, Thanks for reporting this. There seems to be an issue in the code base where the request signature validation is ignored for logout requests. I have created [1] to track this issue. We will address the issue in the upcoming release.
[1] - https://github.com/wso2/product-is/issues/4048 Thanks, Omindu. On Tue, Nov 27, 2018 at 6:34 AM MacRae Linton <[email protected]> wrote: > Hi All, > > Pardon me if this is not the right place to ask this kind of question. > I’ve been struggling to get the WSO2 Identity Server setup correctly to use > SAML for the last couple weeks and have hit a new wall. > > I have a single service provider with SAML inbound authentication > configured. I have the "Enable Signature Validation in Authentication > Requests and Logout Requests” checkbox checked. And so, if I send an > AuthnRequest that is not properly signed, it will error. However, if I send > a LogoutRequest with no signature (or with a signature made from a > completely different cert/key), it will log my user out without error. How > can I enable actual signature validation WSO2 IS? > > Cheers, > > -MacRae Linton > TrussWorks > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Omindu Rathnaweera Senior Software Engineer, WSO2 Inc.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
