Why does PicketLink not include NameID format in SAML 2 LogoutRequest when running in JBoss EAP 6/7 ?

Solution Unverified - Updated 2 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6.4.x
- 7.1.x

Issue

Why does PicketLink not include NameID format in SAML 2 LogoutRequest when running in JBoss EAP 6/7 ?

I have an application that uses Picketlink to set up a SAML2 SSO login with Microsoft Active Directory Federation Services (ADFS)
I can succesfully log in
When attempting to log out, this is unsucessful, because the SAML2 LogoutRequest generated by picketlink does not include a "Format" attribute in the "NameID" element. This causes ADFS to view the request as invalid and causes the logout request to be rejected.

Resolution

This issue is currently scheduled to be resolved as part of This content is not included.JBoss EAP 6.4.9 and Content from issues.jboss.org is not included.JBoss EAP 7.1.5

Root Cause

The logout request created by the SAML2LogoutHandler needs to have the format set on the NameID. Even though the spec says it is an optional attribute, 3rd party projects such as Shibboleth/Microsoft ADFS mandate it.

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Tags

jboss_security

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.