Re: How to request a logout in the IDP from the SP - SP initiated logout in IDP

[Olav Morken]

On Fri, Jan 18, 2013 at 09:23:29 -0800, Minor Solis wrote:
> Hello,
>
> I cant request a logout from the SP to the Idp. It's creating the logout
> correctly in the SP but no in the Idp..
>
> *Notes*:
>
> - Using simpleSAMLphp 1.10.0
> - We are the SP.
> - The idp is located in a "remote server".
> - The idp metadata have the "*SingleLogoutService*" information.
>
> *Problem*:
>
> - I'm using the _autoload.php API to integrate it in a blank php page.
> - Calling: $as->logout(SimpleSAML_Utilities::selfURLNoQuery());
> - That function is creating the logout in the SP (in my local server)
> but it's not calling the "*SingleLogoutService*" of the Idp.
>
> *Do I'm missing something?*
>
> Thank you for your ideas!

Look at your log files. Do they contain something like "No logout
endpoint for IdP https://idp.example.org/"?

In that case, doublecheck your SingleLogoutService endpoint in your
idp-remote metadata. Note that if a binding is specified on the
SingleLogoutService endpoint, it must be the HTTP-Redirect binding.

If that entry is not written to your log file, what is written to your
log file during logout?

Best regards,
Olav Morken
UNINETT / Feide

[Ruwantha Lankathialaka]

Hi,

I am also having issues with logging out. I am trying to invoke the logout with logout method 

$ssoObj =new \SimpleSAML_Auth_Simple('sp1');

$auth = $ssoObj->login();

$auth->logout(MY_APPLICTION_LOGIN_PATH);

This just redirects me to the login path and do not logout application.

When I check my syslog it shows message "No logout endpoint for IdP 'MY_IDP_URL'.

Please tell me how to logout correctly.

Thanks,

[Ruwantha Lankathialaka]

I found the solution 

        $auth = $ssoObj->login(); // get the SimpleSAML_Auth_Simple('sp');

        if($auth->isAuthenticated()){

            return $this->redirect()->toUrl($auth->getLogoutURL());  

        }

This will logout

On Monday, January 21, 2013 at 12:45:58 PM UTC+5:30, Olav Morken wrote:

[Jaime Perez Crespo]

Hi Ruwantha,

On 22 Dec 2016, at 07:11 AM, Ruwantha Lankathialaka <ruwan...@gmail.com> wrote:
> I found the solution
>
> $auth = $ssoObj->login(); // get the SimpleSAML_Auth_Simple('sp');
> if($auth->isAuthenticated()){
> return $this->redirect()->toUrl($auth->getLogoutURL());
> }
>
> This will logout

No, that’s not the solution. The solution to the error message you were getting was given by Olav in the very same message from almost 4 years ago that you were replying to:

>> Look at your log files. Do they contain something like "No logout
>> endpoint for IdP https://idp.example.org/"?
>>
>> In that case, doublecheck your SingleLogoutService endpoint in your
>> idp-remote metadata. Note that if a binding is specified on the
>> SingleLogoutService endpoint, it must be the HTTP-Redirect binding.

What you have done is not a solution and has nothing to do with SimpleSAMLphp. In that context, we don’t know what is $this, and it’s definitely not part of SimpleSAMLphp. The proper way to trigger logout is to call the logout() method with a URL where you want to be redirected to after logging out, as described in the documentation:

https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_5

However, your code here doesn’t make much sense anyway:

> $ssoObj =new \SimpleSAML_Auth_Simple('sp1’);
> $auth = $ssoObj->login();
> $auth->logout(MY_APPLICTION_LOGIN_PATH);

It doesn’t make any sense to call logout() right after calling login(). Why would you want to logout right after logging in? Besides, passing “your application login path”, whatever that means, as the return URL to the logout() method, doesn’t make much sense either.

Please, read the documentation carefully:

https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost