Disable encryption of SAML logout requests

By default, when operating as an IDP Proxy, with Ubisecure SSO acting as a SAML SP, SAML2 logout requests to a third-party IDP are signed and encrypted, if a public key is provided in the metadata of the IDP. Some providers may not support this secure configuration, which potentially protects the personal information of the user (NameID) in the LogoutRequest message.

If after careful consideration, you still want to disable encryption of SAML logout messages, the guide is below.

Step-by-step guide

To disable encryption of logout requests, it is necessary to modify the metadata of the authentication method for the IDP.

If there is a KeyDescriptor element without a use attribute like so:

this must be changed to 

which effectively disables encryption, because there are then no encryption keys available.

If there is a Keydescriptor with use="encryption", this must be removed.

If no use attribute is specified, the same key is used for both signing and encryption.

In this configuration, the SAML2 response and the logoutrequest are both only signed, not encrypted. 

Related articles

• Page:
  Get roles from both CustomerID and SAML federation using authorization policy
• Page:
  How to log and trace OAuth2 and OpenID Connect HTTP messages
• Page:
  Disable assertion encryption
• Page:
  Passwordless login methods
• Page:
  Change the hostname of a CustomerID installation