Description of problem: The logout request created by the SAML2LogoutHandler needs to have the format set on the NameID. Even though the spec says it is an optional attribute, 3rd party projects such as Shibboleth mandate it.
Fixed in branch 2.5.4.SP7-redhat-1_BZ-1330602. This needs to be cherry-picked into the next product release branch.
The NameID format can be adjusted by using teh "NAMEID_FORMAT" configuration option on the SAML2LogOutHandler in the picketlink.xml file: <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"> <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:email"/> </Handler>
Verified with EAP 6.4.9.CP.CR2
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.