Single logout problem, using simplesamlphp 1.17.2 IDP

[Gabriel Guntin]

Simplesamlphp versión 1.17.2 IDP:

• After closing session on a SP we are redirected properly to /module.php/core/idp/logout-iframe.php?id=_2ba0ca3c88fcb233b605b7573T16f5bea44b77d4b7

And then we see:

You are now successfully logged out from SP-1.
You are also logged in on these services:

• SP-2
• SP-3
  Do you want to logout from all the services above?
  Yes, all services No, only SP-1.

• Answering "Yes" and waiting 5 seconds see this:

Unable to log out of one or more services. To ensure that all your sessions are closed, you are encouraged to close your webbrowser.

But we verify on SP-2 and SP-3 that sessions are closed properly.

Doing a "refresh" in the web browser the warning disappears, and all appears to be good.

The problem does not exist if I use simplesamlphp version 1.16.3 as IDP, with the same configurations and SP.

See attached log file fragment in debug mode, with no errors for me.

[Jaime Pérez Crespo]

Hi Gabriel,

As I said in the issue tracker, that looks like those services aren’t responding properly.

You can check that yourself by installing a browser plugin like SAMLtracer and following the requests and responses, and verifying that you are getting a SAML message back from the services after initiating logout on them (it must be a LogoutResponse). If that’s not the case, there you have the reason for the behaviour you are experiencing.

—
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Gabriel Guntin]

Thanks Jaime.

I installed the plugin and used it to test with both versions of simplesamlphp IDP. Could you take a look to the outputs?

I see POST https://id.myorg.edu/module.php/core/idp/logout-iframe-done.php and the next lines are missing when i try using version 1.17.2

Regards.

[Steve Bagwell]

I thought I would mention that we are having a logout failure issue also.  We are using the YII2 framework.  Logout works fine with SSP 1.16.3 but fails silently with SSP 1.17.2 (returns to the main page with the user still authenticated). 

[D.Sie...@ru.ac.za]

I can't be sure that this is the same problem that OP has reported, but I'm also trying to debug a problem with SLO that results in the same error ("Unable to log out of one or more services. To ensure that all your sessions are closed, you are encouraged to close your webbrowser.")

From the Shibboleth SP's logs, the logout is successful:

2019-06-07 12:27:43 INFO Shibboleth.SessionCache [8] [default]: request to logout sessions from (https://login.ru.ac.za/idp/shibboleth) for (XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
2019-06-07 12:27:43 INFO Shibboleth.SessionCache [8] [default]: removed session (_XXXXXXXXXXXXXXXXXXXXXX)

The SAML Message Decoder extension in Firefox shows a <samlp:LogoutResponse>, and the browser does a GET to /simplesaml/saml2/idp/SingleLogoutService.php.

However, the response for that GET is the content of IFrameLogoutHandler.twig, without any templating applied.  My hunch is that onResponse() in simplesamlphp/lib/SimpleSAML/IdP/IFrameLogoutHandler.php isn't applying the template correctly, but I don't know the template system well enough to confirm that.

If that makes sense, could someone check the templating there?

Thanks!