Single Logout from Google Apps

[Andreas Åkre Solberg]

I've implemented IdP-initiated SLO

http://rnd.feide.no/content/saml-20-idp-initiated-single-logout-implemented

SimpleSAMLphp now have a solution for logout from Google Apps. I've implemented IdP initiated Single LogOut which makes it possible to configure logout together with Google Apps. I've updated the simpleSAMLphp as an IdP for Google Apps for Education document: http://rnd.feide.no/content/simplesamlphp-idp-google-apps-education Here is the homepage of simpleSAMLphp: http://rnd.feide.no/simplesamlphp Feel free to ask questions if anything is unclear.

-- 

Andreas Åkre Solberg

andreas...@uninett.no

http://rnd.feide.no

[Sergio Izquierdo]

The file is not on that directory, must I only copy the same file from the sp directory?
Greetings,
Sergio

[Andreas Åkre Solberg]

On Mar 6, 2008, at 2:49 , Sergio Izquierdo wrote:

> The file is not on that directory, must I only copy the same file
> from the sp directory?
> Greetings,

The file was commited to subversion yesterday, because I had to
implement new functionality. It is not the same file :)

Let me know if you want a zip file of the latest version from
subversion, or if you can update from subversion...

[Andreas Åkre Solberg]

On Mar 6, 2008, at 2:49 , Sergio Izquierdo wrote:

> The file is not on that directory, must I only copy the same file
> from the sp directory?
> Greetings,

Did it work, when you updated form svn?

I'm looking forward to hear about the status of your installation..

How many students are there at your school/university?

[Adam Forsyth]

What is the best way to upgrade an existing installation of simplesaml
to have the single logout capability? I originally installed a few
weeks ago using the command: svn checkout
http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp

I'm not too familiar with subversion but I'm assuming that there is an
svn command that would update my installation to current.

So far, I've only played with simplesaml myself, and haven't rolled it
out to all of our Google Apps for Education users. My concern has
been that being able to log out seems important, and that wasn't
possible. Now that simplesaml has single log out, I think I may be
ready to move forward with all of our google apps users doing saml
login.

On Wed, Mar 5, 2008 at 9:20 AM, Andreas Åkre Solberg
<andreas...@uninett.no> wrote:
>
>

[Andreas Åkre Solberg]

On Mar 8, 2008, at 23:00 , Adam Forsyth wrote:

What is the best way to upgrade an existing installation of simplesaml
to have the single logout capability?  I originally installed a few
weeks ago using the command:  svn checkout
http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp

Then go to your installation directory:

cd /var/simplesamlphp (in example)

And then type:

svn update

And your installation will be updated. As there is only few weeks ago since you did your installation, this is probably the only step you need to do. But sometimes we do changes to the format of the config.php file or the metadata files, and then you will need to update your configuration or metadata.

As you may have seen when you installed simpleSAMLphp is that the config and metadata files is added to a template directory. When you update with svn update, the template config and metadata will be updated (with the latest syntax), but your local metadata and configuration will be unmodified. If you upgrade and something stop working, the error message should tell you what to do, if not, tell us on the mailinglist and we will help you instantly.

Here are the documentation in order to configure logout with google apps:

http://rnd.feide.no/content/simplesamlphp-idp-google-apps-education

Let me know how it works. Good luck.

Kind regards

Andreas.

I'm not too familiar with subversion but I'm assuming that there is an
svn command that would update my installation to current.

So far, I've only played with simplesaml myself, and haven't rolled it
out to all of our Google Apps for Education users.  My concern has
been that being able to log out seems important, and that wasn't
possible.  Now that simplesaml has single log out,  I think I may be
ready to move forward with all of our google apps users doing saml
login.

[Adam Forsyth]

well that seems to have broken it.  As far as i can tell all of my configuration is intact just like you said it would be, but now google redirects to the saml login page, and it says "simpleSAMLphp error"  In the "Debug Information" section it just says "No exception available"

It does list an error track ID, but I can't find that it matches anything in the apache logs.  I'm not getting anything in apache's error log, and I just see in the access log that I've loaded this page, so I think apache is generally looking like its happy.

What should be my next debugging step?  I'm not sure what to look at next.

[Andreas Åkre Solberg]

On Mar 9, 2008, at 0:13 , Adam Forsyth wrote:

> well that seems to have broken it. As far as i can tell all of my
> configuration is intact just like you said it would be, but now
> google redirects to the saml login page, and it says "simpleSAMLphp
> error" In the "Debug Information" section it just says "No
> exception available"
>
> It does list an error track ID, but I can't find that it matches
> anything in the apache logs. I'm not getting anything in apache's
> error log, and I just see in the access log that I've loaded this
> page, so I think apache is generally looking like its happy.
>
> What should be my next debugging step? I'm not sure what to look at
> next.

What is the hostname of your installation? Then I can take a look at
the error?
And also, what is the google apps domain you are testing with.

Do you get an error on the home page of your installation?
What if you go to the metadata overview page?
What if you go to the saml 2 example (if you run a saml 2 sp)?

One thing you can do, is to take backup of your config.php and
metadata files, and then replace the one in the installation with the
one from the -templates directory (which should be up to date).

[Adam Forsyth]

Also, I noticed by comparing the documentation to saml20-idp-hosted.php that I didn't have the like that reads:

 'authority' => 'login'

So I added that line, but it doesn't seem to make any difference.

What is the hostname of your installation? Then I can take a look at
the error?

 login.luther.edu is the hostname of the simple saml server  The path to SSOService.php is https://login.luther.edu/saml/saml2/idp/SSOService.php

And also, what is the google apps domain you are testing with.

luther.edu

Do you get an error on the home page of your installation?

no, I can load https://login.luther.edu/saml/ without errors.

What if you go to the metadata overview page?

 I'm not sure what page that is, I can't find it.

What if you go to the saml 2 example (if you run a saml 2 sp)?

This reports "The SAML Request is invalid." but I'm thinking its not configured right because its not going to our server, its taking me  to yours:  https://max.feide.no/amserver/SSORedirect/metaAlias/idp?SAMLRequest=fVJdb9sgFH22f4XFuw2Jm8VBcSSv0bRI3RrFaR%2F2MhFz3SBhYFy8tf9%2BxF3V7WGREA%2Fc83HPEWsUg3a8GcPZHODHCBiyNHketEE%2BjWoyesOtQIXciAGQh463zZc7Pi8Yd94G21lNsnfKdYZABB%2BUNSRNdtuafD8ty1XZseVMLMpFdQIml2K1vKlmH6QsV7KfsWohq64v5yR7BI%2BRWpOodOEjjrAzGIQJ8Y2xKmdlzlZHxng8i5tvJPtkfQdTvJr0QiNE3jamVEaESeocgkNO6SCeix6UhMJYKoa45U%2FwtG3vDyCVhy7QAYJotBJIlXRRZv8n%2FEdlpDJP13OfXkHIPx%2BP%2B3x%2F3x6jQvNWxq01OA7g2%2BiqOng43L0vpu2TMoWOEcAXIEd6KXm65hQd%2FZ9G4c6ObNJkfUHyqSqfbdDlYIIKL0qu6V%2BTN6DjX%2BPqu%2B3eatW9pEkS%2BxtEuJ7t8qJk3k9QHrwwqKJLDJg0Wttftx5EgJoEPwKh0Sp99f73323S3w%3D%3D&RelayState=https%3A%2F%2Flogin.luther.edu%2Fsaml%2Fexample-simple%2Fsaml2-example.php

[Andreas Åkre Solberg]

On Mar 9, 2008, at 1:03 , Adam Forsyth wrote:

>
>
>
> Also, I noticed by comparing the documentation to saml20-idp-
> hosted.php that I didn't have the like that reads:
>
> 'authority' => 'login'
>
> So I added that line, but it doesn't seem to make any difference.

You seem to have customized the templates folder. If you are running
your own templates file, these files may require updates when you
upgrade simplesamlphp.

I would reccomend you to try with the templates that follows the
installation first, to see if that is related to your problems.

If you in example have created your own theme in templates/luther,
then switch to templates/default in the config.php file to use the
default templates.

[Adam Forsyth]

I just did that, config.php is now pointed back to the original templates.  Doesn't seem to change anything.

[Andreas Åkre Solberg]

On Mar 9, 2008, at 1:15 , Andreas Åkre Solberg wrote:

You seem to have customized the templates folder. If you are running your own templates file, these files may require updates when you upgrade simplesamlphp.

Now I see that you get a better error message:

No access

This endpoint is not enabled. Check the enable options in your configuration of simpleSAMLphp.

What is wrong is that SAML 2.0 IdP functionality is not enabled. Go to the config.php file and set saml2 IdP functionality to true.

'enable.shib13-idp' => true,

See the config.php in the template directory if you are unsure.

[Andreas Åkre Solberg]

On Mar 9, 2008, at 1:18 , Andreas Åkre Solberg wrote:

> What is wrong is that SAML 2.0 IdP functionality is not enabled. Go
> to the config.php file and set saml2 IdP functionality to true.
>
> 'enable.shib13-idp' => true,
>

Sorry, off course I meant:
'enable.saml20-idp' => true,

:)

[Adam Forsyth]

Originally I had:

        'enable.saml20-sp'              => true,
        'enable.saml20-idp'             => false,
        'enable.shib13-sp'              => false,
        'enable.shib13-idp'             => false,
        'enable.openid-provider'=> false,

I changed this to:
        'enable.saml20-sp'              => true,
        'enable.saml20-idp'             => true,
        'enable.shib13-sp'              => false,
        'enable.shib13-idp'             => false,
        'enable.openid-provider'=> false,

Now it seems to work.  It still works after I went back to my old customized templates too.

[Adam Forsyth]

Oh, figured it out before I read this, but thats what I figured out.

[Sergio Izquierdo]

Thank you a lot, it worked just nice.  I will make the migration next week (school planning).
The school has almost 900 students.
Thank you a lot for your help, attention and entusiasm.

Greetings from Guatemala

Sergio Izquierdo

[Andreas Åkre Solberg]

On Mar 10, 2008, at 2:31 , Sergio Izquierdo wrote:

> Thank you a lot, it worked just nice. I will make the migration
> next week (school planning).
> The school has almost 900 students.
> Thank you a lot for your help, attention and entusiasm.
>
> Greetings from Guatemala
>
> Sergio Izquierdo

Great new Sergio. Do you plan to use your simpleSAMLphp IdP for other
services than Google Apps for Edu? simpleSAMLphp gives you single sign-
on only if you have more than one service you know :)

We have deployed a service here in Norway called OpenWiki, where
students can login and create their own wiki, and setup access
control, such that they can crate project wikis that are in example
read-only for all other students, and write-access for all the
students participating in the project. The sofware realizing such a
service is called wikiplex and will run side-by-side with a dokuwiki
installation.

[kev...@gmail.com]

Has anyone figured out how to use simplesamlphp and logout from that specific relying party/service provider using Google SAML/SSO?

We have the integration working where we can login with the Google being the IdP and we are the Relying Party/Service Provider with simplesamlphp - works great.

We know how to logout from google completely, but we want to logout the Google/Service Provider connection not the entire google account, so that

any other SAML relationships the user has logged in with are not impacted. ADFS has this ability. Can we do it with Google? thanks in advance!

[Peter Schober]

You're aware you have replied to a 9 year old thread?

> On Wednesday, March 5, 2008 at 7:20:29 AM UTC-8, Andreas Åkre Solberg wrote:

Anyway:

* <kev...@gmail.com> [2017-09-28 19:27]:

> Has anyone figured out how to use simplesamlphp and logout from that
> specific relying party/service provider using Google SAML/SSO?

AFAIK Google as a SAML SP does not support SAML SLO. I.e., they don't
generate SAML SLO requests to your IDP (when you want to initiate
logout at their service), and they don't provide an endpoint where an
IDP can send a logout request (when you start logout elsewhere, i.e.,
not at their service).

> We have the integration working where we can login with the Google
> being the IdP and we are the Relying Party/Service Provider with
> simplesamlphp - works great.

I was not aware you could even use Google as a SAML IDP for third
party SAML SPs. (Obviously above I replied with the assumption you
used SimpleSAMLphp as a SAML IDP and Google as a SAML SP.)

> We know how to logout from google completely, but we want to logout the
> Google/Service Provider connection not the entire google account

That seems like a differentiation only Google might be able to make,
not something a standard protocol (such as SAML) would be able to
handle.

> so that any other SAML relationships the user has logged in with are
> not impacted. ADFS has this ability. Can we do it with Google?

That sounds very much like a question for a Google IDP-specific
support forum? At least I don't see a relation to the SimpleSAMLphp
project or software.

-peter