Logout with own Logout Handler not working correctly
233 views
Skip to first unread message
R. Z.
Jun 16, 2022, 9:40:33 AM6/16/22
to Pac4j users mailing list
Hi,
I use central logout. As long as I use the standard LogoutHandler class everything works fine, the SAML Response from my Idp is validated (my breakpoint in the SAML2LogoutValidator got hit) and as soon as I start to login again, I need to enter my credentials again, so this is fine.
So I wanted to implement my own Logout Handler as I need to redirect the user to my index page after the Idp send the callback to my POST callback?client_name=SAML2Client&logoutendpoint=true
public static Handler<RoutingContext> centralLogoutHandler(final Vertx vertx, final Config config,
final SessionStore sessionStore) {
final LogoutHandlerOptions options = new LogoutHandlerOptions()
.setCentralLogout(true)
.setLocalLogout(false)
.setDestroySession(true);
return new MyCustomLogoutHandler(vertx, sessionStore, options, config);
}
MyCustomLogoutHandler simply extends the LogoutHandler, calls the supers and adds the redirect afterwards. But as soon as I am using this, the SAML Response does not get hit, as soon as I try to login again, my session is still valid.
I also tried to set the default URL in the LogoutHandlerOptions because I saw in the DefaultLogoutLogic that this url will be used for redirect, but this also does not work.
What am I doing wrong? How can I redirect the user to my index page after the Idp send the LogoutResponse?
And by the way I am using the vert.x pac4j implementation, newest version I guess.
Thanks for the help,
Regards
Robert
So I wanted to implement my own Logout Handler as I need to redirect the user to my index page after the Idp send the callback to my POST callback?client_name=SAML2Client&logoutendpoint=true
public static Handler<RoutingContext> centralLogoutHandler(final Vertx vertx, final Config config,
final SessionStore sessionStore) {
final LogoutHandlerOptions options = new LogoutHandlerOptions()
.setCentralLogout(true)
.setLocalLogout(false)
.setDestroySession(true);
return new MyCustomLogoutHandler(vertx, sessionStore, options, config);
}
MyCustomLogoutHandler simply extends the LogoutHandler, calls the supers and adds the redirect afterwards. But as soon as I am using this, the SAML Response does not get hit, as soon as I try to login again, my session is still valid.
I also tried to set the default URL in the LogoutHandlerOptions because I saw in the DefaultLogoutLogic that this url will be used for redirect, but this also does not work.
What am I doing wrong? How can I redirect the user to my index page after the Idp send the LogoutResponse?
And by the way I am using the vert.x pac4j implementation, newest version I guess.
Thanks for the help,
Regards
Robert
Jérôme LELEU
Jun 20, 2022, 2:48:46 AM6/20/22
to R. Z., Pac4j users mailing list
Hi,
If you want to control the URL called after the SAML response has been sent by the IdP, you need to use the postLogoutURL property from the SAML2Configuration component.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/859b0c5f-e4fe-4f45-bfa4-d26dd4d4bcecn%40googlegroups.com.
R. Z.
Jun 22, 2022, 8:23:19 AM6/22/22
to Pac4j users mailing list
Hi Jérôme,
it worked. Thank you.
Best regards
Robert
R. Z.
Jun 28, 2022, 10:10:14 AM6/28/22
to Pac4j users mailing list
Hi Jérôme,
sorry to bother you again. Azure AD does not support HTTP-POST Binding for central Logout.
sorry to bother you again. Azure AD does not support HTTP-POST Binding for central Logout.
So I added the config
cfg.setSpLogoutRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
cfg.setSpLogoutResponseBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
cfg.setSpLogoutResponseBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
In the logs I see the requests being made and the response as URL parameter. My breakpoints also got hit in the LogoutHandler.
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - === LOGOUT ===
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - redirectUrl: /logout
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - Performing central logout
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - Profile: #SAML2Profile# | id: mytes...@mydomain.de | attributes: {notOnOrAfter=2022-06-28T13:37:11.567Z, notBefore=2022-06-28T13:27:11.567Z} | roles: [] | permissions: [] | isRemembered: false | clientName: SAML2Client | linkedId: null |
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - redirectUrl: /logout
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - Performing central logout
2022-06-28 15:32:20,836 [vert.x-worker-thread-3] DEBUG org.pac4j.core.engine.DefaultLogoutLogic - Profile: #SAML2Profile# | id: mytes...@mydomain.de | attributes: {notOnOrAfter=2022-06-28T13:37:11.567Z, notBefore=2022-06-28T13:27:11.567Z} | roles: [] | permissions: [] | isRemembered: false | clientName: SAML2Client | linkedId: null |
However the profile does not seem to be removed. So when pac4j redirects to cfg.setPostLogoutUrl (which is the root url of my app therefore it redirects to the IdP again) the session is somehow still active and the last logged in user gets logged in again.
If I am running the same code (except the 2 configs for the REDIRECT binding for logouts) against our Okta, everything works fine. User logs out, session is destroyed, redirect to root url, redirect to Idp and the user needs to login with his credentials again.
Regards
Robert
Robert
R. Z.
Jun 28, 2022, 10:16:11 AM6/28/22
to Pac4j users mailing list
Looking at https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol
The logout request should look something like this:
<samlp:LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="idaa6ebe6839094fe4abc4ebd5281ec780" Version="2.0" IssueInstant="2013-03-28T07:10:49.6004822Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.workaad.com</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> Uz2Pqz1X7pxe4XLWxV9KJQ+n59d573SepSAkuYKSde8=</NameID>
</samlp:LogoutRequest>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.workaad.com</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> Uz2Pqz1X7pxe4XLWxV9KJQ+n59d573SepSAkuYKSde8=</NameID>
</samlp:LogoutRequest>
And the generated Logout Request from pac4j looks like this:
<saml2p:LogoutRequest Destination="https://dev-25910442.okta.com[removed]aml" ID="_0a34af1d[removed]2a39c7" IssueInstant="2022-06-28T12:43:28.256Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://mytest.application.com:9600/callback?client_name=SAML2Client</saml2:Issuer>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">myt...@mydomain.de</saml2:NameID>
<saml2p:SessionIndex>_b77139[removed]757a71148</saml2p:SessionIndex>
</saml2p:LogoutRequest>
<saml2p:LogoutRequest Destination="https://dev-25910442.okta.com[removed]aml" ID="_0a34af1d[removed]2a39c7" IssueInstant="2022-06-28T12:43:28.256Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://mytest.application.com:9600/callback?client_name=SAML2Client</saml2:Issuer>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">myt...@mydomain.de</saml2:NameID>
<saml2p:SessionIndex>_b77139[removed]757a71148</saml2p:SessionIndex>
</saml2p:LogoutRequest>
I wonder why according to the official docs of Azure the NameID is encoded whereas in my LogoutRequest the NameID is plain text.
Regards
Robert
Robert
Jérôme LELEU
Jun 29, 2022, 3:11:43 AM6/29/22
to R. Z., Pac4j users mailing list
Hi,
In fact, you have two things related to logout:
- the ability to request a SLO (SP -> IdP) handled by the DefaultLogoutLogic (the logs ou posted)
- the ability to receive a SLO request (IdP -> SP) on the callback endpoint with logoutendpoint=true handled by the SAML2LogoutValidator and the SAML2LogoutMessageReceiver.
So it's not surprising to send a SLO logout request to the IdP and receive a logout request from the IdP after that.
You may destroy the local session before sending a SLO logout request to the IdP to be sure you have removed the local session.
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/8334da41-e375-4b8b-8338-24d63270a795n%40googlegroups.com.
Jérôme LELEU
Jun 29, 2022, 3:14:23 AM6/29/22
to R. Z., Pac4j users mailing list
Hi,
In pac4j, we don't have the option to encode the NameID in the logout request.
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/023f2ea5-f5a7-4969-8bf0-d81327e70776n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages