Page tree
Skip to end of metadata
Go to start of metadata

By default, when operating as an IDP Proxy, with Ubisecure SSO acting as a SAML SP, SAML2 logout requests to a third-party IDP are signed and encrypted, if a public key is provided in the metadata of the IDP. Some providers may not support this secure configuration, which potentially protects the personal information of the user (NameID) in the LogoutRequest message.

If after careful consideration, you still want to disable encryption of SAML logout messages, the guide is below.

Step-by-step guide

To disable encryption of logout requests, it is necessary to modify the metadata of the authentication method for the IDP.

If there is a KeyDescriptor element without a use attribute like so:

<md:KeyDescriptor>

this must be changed to 

<md:KeyDescriptor use="signing">

which effectively disables encryption, because there are then no encryption keys available.

If there is a Keydescriptor with use="encryption", this must be removed.

If no use attribute is specified, the same key is used for both signing and encryption.

In this configuration, the SAML2 response and the logoutrequest are both only signed, not encrypted.