Return to referring site after SAML IDP Logout
97 views
Skip to first unread message
Steve Christensen
Sep 2, 2021, 5:46:42 PM9/2/21
to RCDevs Security Solutions - Technical
My website (www.home.lan) uses SIMPLESAMLPHP and when a user logs in they authenticate against WebADM OpenID & SAML Provider..
<?php
require_once('_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
?>
takes the user to the WebADM OpenID/SAML server where they authenticate...
After they authenticate they are automatically redirected after 2 seconds back to the referring page (www.home.lan).
When a user logs off using:
<form action="https://www.home.lan/saml/module.php/core/authenticate.php?as=default-sp&logout" method="post"><button type="submit">Logout</button></form>
it takes them to:
The screen says "Logged out from SAML SSO service" and there is a "Close" button.
When you click on the close button I just get a blank white screen. If I manually go back to www.home.lan I can see that I am successfully logged out.
How do I automatically redirect back to the original site?
Thanks,
Steve
Benoît Jager (RCDevs)
Sep 3, 2021, 4:04:12 AM9/3/21
to RCDevs Security Solutions - Technical
Hello,
Can you enable the setting Disable Confirmation in configure of Application->OpenID?
Best regards
Steve Christensen
Sep 3, 2021, 10:20:35 AM9/3/21
to RCDevs Security Solutions - Technical
I checked the "Disable Confirmation" box and changed it from No (Default) to Yes but the behavior is the same.
After more digging, I determined that I can tear down the session on the SIMPLESAML side using the following code:
<?php
// Include Library
include_once('lib.php');
// Pull in Autoload for SimpleSAML
require_once('_autoload.php');
// Access SP session
$idpAuth = new \SimpleSAML\Auth\Simple('default-sp');
// Logout to SAML test
$idpAuth->logout('https://www.home.lan/index.php');
?>
I am going to try that instead of ending the session on the IDP side. I don't know if there is a "correct" way from a security standpoint.
Thanks,
Steve
Steve Christensen
Sep 3, 2021, 10:28:14 AM9/3/21
to RCDevs Security Solutions - Technical
I put the above code in logoff.php and get the same behavior. Successfully log off but am still stuck on the OpenID logoff page. Any other thoughts?
Thanks,
Steve
Reply all
Reply to author
Forward
0 new messages