Proxy IdP logout: unable to find the sAML 2 binding used for this request

[Keith Wessel]

Hi, all,

Single Logout seems to have broken for my proxy IdP. It was working as
recently as a couple weeks ago, redirecting users to the published
originating IdP logout endpoints in metadata. Now it throws an error and
produces the below log entries.

I tried backing out to 1.14.14 to see if I introduced an issue in my upgrade
to 1.14.17 with no change. It's possible a PHP or Apache update might have
changed something, but I'm not sure where to start troubleshooting this.

Any thoughts? The Googling I did for this error was all old results that
didn't give me a good clue.

Thanks,
Keith

2017-11-15T15:01:49.393729-06:00 simplesamlphp[9854]: 6 [50c15ca3bc] SAML2.0
- IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint
SingleLogoutService
2017-11-15T15:01:49.393843-06:00 simplesamlphp[9854]: 4 [50c15ca3bc] Unable
to find the SAML 2 binding used for this request.array (#012)
2017-11-15T15:01:49.393907-06:00 simplesamlphp[9854]: 4 [50c15ca3bc] Request
method: 'GET'array (#012)
2017-11-15T15:01:49.393958-06:00 simplesamlphp[9854]: 3 [50c15ca3bc]
SimpleSAML_Error_Error: SLOSERVICEPARAMS
2017-11-15T15:01:49.394026-06:00 simplesamlphp[9854]: 3 [50c15ca3bc]
Backtrace:
2017-11-15T15:01:49.394084-06:00 simplesamlphp[9854]: 3 [50c15ca3bc] 0
/services/idp-proxy/opt/simplesamlphp-1.14.14/www/saml2/idp/SingleLogoutServ
ice.php:28 (N/A)
2017-11-15T15:01:49.394158-06:00 simplesamlphp[9854]: 3 [50c15ca3bc] Caused
by: Exception: Unable to find the current binding.
2017-11-15T15:01:49.394215-06:00 simplesamlphp[9854]: 3 [50c15ca3bc]
Backtrace:
2017-11-15T15:01:49.394278-06:00 simplesamlphp[9854]: 3 [50c15ca3bc] 2
/services/idp-proxy/opt/simplesamlphp-1.14.14/vendor/simplesamlphp/saml2/src
/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)
2017-11-15T15:01:49.394335-06:00 simplesamlphp[9854]: 3 [50c15ca3bc] 1
/services/idp-proxy/opt/simplesamlphp-1.14.14/modules/saml/lib/IdP/SAML2.php
:487 (sspmod_saml_IdP_SAML2::receiveLogoutMessage)
2017-11-15T15:01:49.394391-06:00 simplesamlphp[9854]: 3 [50c15ca3bc] 0
/services/idp-proxy/opt/simplesamlphp-1.14.14/www/saml2/idp/SingleLogoutServ
ice.php:23 (N/A)

[Jaime Perez Crespo]

Hi Keith.

I’ve seen that issue before, though can’t recall what it was due to. I vaguely remember some problem with the web server.

In any case, if you search the mailing list for the log lines you are getting, you should be able to at least find some other conversations about it, hopefully with a solution.

—
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Tim van Dijen]

2017-11-15T15:01:49.393843-06:00 simplesamlphp[9854]: 4 [50c15ca3bc] Unable to find the SAML 2 binding used for this request

2017-11-15T15:01:49.393907-06:00 simplesamlphp[9854]: 4 [50c15ca3bc] Request method: 'GET'

Looking at the corresponding code:

https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/Binding.php#L57

It basically means you're doing a HTTP GET on /simplesaml/saml2/idp/SSOService.php, but you're not sending the required GET-parameters.

This could, like Jaime noted, be a misconfiguration in your webserver on the proxy-side, or a misconfiguration on the SP-side.

Your can pinpoint this by running a SAML-trace

[Keith Wessel]

Thanks, gentlemen. It’s quite possible that the vendor SPs calling the logout URL aren’t passing any parameters. I’ll check logs on that. If so, and IIRC, doesn’t the logout endpoint consult session cookies to know what session to terminate? Or is it really only a true SAML logout that responds to a passed-in request?

 

I’m only questioning this because, as I stated previously, this was working a few weeks ago for these very SPs.

 

Just to help me further understand, is this error coming from the SimpleSAMLphp IdP portion of my proxy IdP or the SP portion? I assumed that the Proxy IdP took the request, identified the session, and handed it to the SSP SP that it used to initiate the session, and that SP in turn sent the logout request on to the originating IdP. Is that right? And is this error happening in the SSP IdP or the SSP SP? I realize that the SP is just an authentication mechanism for the IdP, but I’m trying to understand the issue.

 

Keith

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Keith Wessel]

I’m still searching the archives, but I’ve determined that Apache’s not doing any rewriting of or redirecting of the logout URL. And, looking at the log, it looks like these vendors aren’t sending any get params in the request of type get. They’re just calling the logout URL, like IDP-initiated logout.

 

And according to the docs, calling /simplesaml/saml2/idp/SingleLogoutService.php with no parameters should work.

 

So, I’m still confused by this error.

 

I’ll keep digging.

 

Keith

[Keith Wessel]

Ah-ha!

 

Has the ReturnTo parameter always been required for the SingleLogoutService.php endpoint if a get or post SAML logout request isn’t included? If I include a ReturnTo parameter, logout works!

 

Is there a reason that SSP can’t do an IdP-initiated logout without a ReturnTo param, just passing the user to the default SSP logout page in its absence?

 

Keith

 

From: Keith Wessel [mailto:kwes...@gmail.com] On Behalf Of Keith Wessel

Sent: Thursday, November 16, 2017 8:52 AM
To: simple...@googlegroups.com

[Jaime Perez Crespo]

Hi Keith!

On 16 Nov 2017, at 16:42 PM, Keith Wessel <ke...@wessel.com> wrote:
> Ah-ha!
>
> Has the ReturnTo parameter always been required for the SingleLogoutService.php endpoint if a get or post SAML logout request isn’t included? If I include a ReturnTo parameter, logout works!

I would need to check it out, but I think there haven’t been any changes in the endpoints in a long time.

> Is there a reason that SSP can’t do an IdP-initiated logout without a ReturnTo param, just passing the user to the default SSP logout page in its absence?

Not that I can imagine now, but again, I’d need to look into the code and think about it more thoroughly. In general, you always need a page where you should go back after logging out, and I think we don’t have such a page in SimpleSAMLphp.

Maybe you should open an issue in the issue tracker and continue the discussion there?