python-saml: samlp:LogoutResponse signature verification fails with ADFS

Hello,

I have an issue with my ADFS infrastructure: When I try to use the Single Sign-Out functionality of the python-saml library, I get an error saying that 'Signature validation failed. Logout Response rejected'.

I don’t think it’s a certificate issue because the login ( samlp:AuthnRequest ) works well and stops working (as expected) if I set a wrong certificate.

The StatusCode I get from the server is <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> so my guess is that the issue is really on the SP side.

The binding is set to Redirect on both SP and IDP sides.

Here is a sample of a logout request/response:

<samlp:LogoutRequest ID="ONELOGIN_xyzxyz" Version="2.0" IssueInstant="2016-05-18T18:58:23Z" Destination="https://ad.corp.company.com/adfs/ls">
<saml:Issuer>https://app.sp.io/saml2/metadata/</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@company.com</saml:NameID>
<samlp:SessionIndex>_xyz-xyz-xyz</samlp:SessionIndex>
</samlp:LogoutRequest>

<samlp:LogoutResponse ID="_xyz-xyz-xyz" Version="2.0" IssueInstant="2016-05-18T18:58:23.687Z" Destination="https://app.sp.io/saml2/sls/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_xyzxyz">
<Issuer>http://ad.corp.company.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
</samlp:LogoutResponse>

With other query parameters:

*SAMLResponse:*fZLNasMwEIR...
*RelayState:*https://app.sp.io:8000/logout/
*Signature:*oAI7sHX6jdCio...
*SigAlg:*http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

I also tried with http://www.w3.org/2000/09/xmldsig#sha1 without success. Any idea why the SLS signature verification would fail?

Thank you!