SAML logout request signature does not function as expected

[omindu]

Logout request signature validation is skipped at [1] due to logoutReqIssuer not being populated properly.

The logoutReqIssuer information is retrieved base on what's stored during the authentication at [2]. The created SAMLSSOServiceProviderDO lacks information which requires to validate SAML logout response (eg: logout validation config, SP certificate, etc). Need to check the feasibility of using the SAMLSSOServiceProviderDO object created at [3] instead of creating a new object.

[1] - https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] - https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/master/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java#L142
[3] - https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/master/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java#L54

[isharak]

Thank you for your contribution!
We are closing this issue since it has not been prioritized for a long time. Chances are that it has already been solved in more recent versions. If not, we will be re-evaluating this when it becomes a priority.