Forum Discussion
THi_89722
Nimbostratus
NimbostratusSAML SLO NameQualifier and SPNameQualifier attributes missing
We have external SAML 2 IdP which requires NameQualifier and SPNameQualifier attributes in NameID element set in the SAML LogoutRequest (SLO), like:
NameQualifier="https://xxx.yyy.com/idp"
...
Support for NameQualifier and SPNameQualifier is added in BIG-IP APM v13.1. This version will be released very shortly.
Michael_Koyfman
Cirrocumulus
CirrocumulusCan you please share which IDPs require the use of these attributes? They are optional attributes that are currently not supported by SLO configuration of APM. Please open a case with F5 support and request an RFE to support them, and provide as much information as possible, including the IDPs that use them(and any information as to why they are used). Thanks!
THiThe IdP is a large public authority (state population registry). The IdP is based on Shibboleth.
The request identifies the principal to be logged out using a NameID element, as well as providing a SessionIndex element to uniquely identify the session being closed.
https://issues.liferay.com/browse/LPS-45684
"LogoutRequest NameID should include NameQualifier and/or SPNameQualifier provided by the IdP in it's Response NameID. Some IdPs such as Shibboleth might not otherwise be able find the correct session to logout."
Also for Azure https://azure.microsoft.com/en-us/documentation/articles/active-directory-single-sign-out-protocol-reference/
"The value of the NameID element must exactly match the NameID of the user that is being signed out."
MarvinIs the Name-Identifier Policy Format available in version 13.1.0.8 I dont see this option but I need this setting to be on version 2.0. I do see the Service Provider Name Qualifier option.