SimpleSamlPHP problem with SimpleLogoutService

[wojciech...@fancyfon.com]

Hi,

We have working SimpleSAMLPHP instance with several SP connected. Everything is working without problem. Now we are trying to connect with some Software Vendor, but we are facing with one problem.

Login works without problem, but when user is trying to logout in browser he see this communicate:

You accessed the SingleLogoutService interface, but did not provide a SAML LogoutRequest or LogoutResponse. Please note that this endpoint is not intended to be accessed directly.

SimpleSAML_Error_Error: SLOSERVICEPARAMS
Backtrace:
0 /var/www/XXX/www/saml2/idp/SingleLogoutService.php:28 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/www/XXX/vendor/simplesamlphp/saml2/src/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)
1 /var/www/XXX/modules/saml/lib/IdP/SAML2.php:487 (sspmod_saml_IdP_SAML2::receiveLogoutMessage)
0 /var/www/XXX/www/saml2/idp/SingleLogoutService.php:23 (N/A)

Unfortunatelly our Vendor said that "They does not support Single Logout service"

They only redirect logout button to specified URL. 

Can we do something to give possibility to logout user and end session after directly access to SingleLogoutService URL?

We are using LDAP as users base and here is configuration:

<?php


$config = array(
    // This is a authentication source which handles admin authentication.
    'admin' => array(
        // The default is to use core:AdminPassword, but it can be replaced with
        // any authentication source.


        'core:AdminPassword',
    ),
    ///*
    // Example of a LDAP authentication source.
    'ldap' => array(
        'ldap:LDAP',
        'hostname' => 'XXX.XXX.XXX.XXX',
        'enable_tls' => FALSE,
        'debug' => FALSE,
        'timeout' => 0,
        'port' => 389,
        'referrals' => TRUE,
        'attributes' => NULL,
        'dnpattern' => 'cn=%username%,ou=XXX,dc=XXX,dc=com',
        'search.enable' => FALSE,
        'search.base' => 'ou=XXX,dc=XXX,dc=com',
        'search.attributes' => array('cn', 'mail'),
        'search.username' => NULL,
        'search.password' => NULL,
        'priv.read' => FALSE,
        'priv.username' => NULL,
        'priv.password' => NULL,
    ),

Here is our Vendor SP metadata configuration:

$metadata['XXXXX'] = array(
        'AssertionConsumerService' => 'https://XXXXX/login/saml',
        'SingleLogoutService' => 'https://XXXXX/logout',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
        'simplesaml.nameidattribute' => 'mail',
        'simplesaml.attributes' => FALSE,
);

[Peter Schober]

* wojciech...@fancyfon.com <wojciech...@fancyfon.com> [2017-08-10 14:20]:

> Unfortunatelly our Vendor said that "They does not support Single Logout
> service"
> They only redirect logout button to specified URL.

You can't use that endpoint then.

> Can we do something to give possibility to logout user and end
> session after directly access to SingleLogoutService URL?

Not "after", but "instead": If accessing that endpoint without a SAML
logout request yields an error then configure that URL in the vendor
interface.

E.g. if SimpleSAMLphp supports an "IDP-initiated" logout endpoint (I
don't know whether it does) you could send them there instead (i.e.,

using a proprietary request instead of a standard-defined request.)
If SimpleSAMLphp does not support this I guess you're stuck with
either sending people to a website of your own explaining to the
subject what the options are. Or try not configuring that URL in the
vendor interface and see what that achieves.

-peter