simpleSAMLphp logout issues

1,958 views
Skip to first unread message

Scott Fortin

unread,
Sep 16, 2011, 4:02:03 PM9/16/11
to simpleSAMLphp
Hello simpleSAMLphp!

I setup SSO for Google Apps but can't seem to get logout to work.

I read a bunch of forum posts but I'm not 100% sure I understand.
When I try to logout of our orginizations Google Apps email it brings
me to a simpleSAMLphp error page that has the following:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 /var/simplesamlphp/www/_include.php:37
(SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/simplesamlphp/lib/SAML2/Binding.php:79
(SAML2_Binding::getCurrentBinding)
1 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389
(sspmod_saml_IdP_SAML2::receiveLogoutMessage)
0 /var/simplesamlphp/www/saml2/idp/SingleLogoutService.php:23 (N/A)

I read that SAML2 does not support Single Logout but if that is true,
how does a user logout? Do they just let it time out? Is there
documentation explaining how to setup a Single Logout Service?

Thank you very much for your help in advance!

SMCC

Peter Schober

unread,
Sep 17, 2011, 7:40:11 AM9/17/11
to simpleSAMLphp
* Scott Fortin <skot....@gmail.com> [2011-09-16 22:03]:

> I read that SAML2 does not support Single Logout but if that is true,
> how does a user logout?

No, the SAML2 specs do include ("support", if you wish) single logout
so wherever you read that, you can easily see it's wrong by looking
at the SAML2 specs[1] yourself.
SimpleSAMLphp implements some of the bindings usable for that, but
AFAIK Google Apps do not support SAML2 logout, they simply redirect to
some URL you can configure (which is not the same as SAML2 single
logout).
-peter

[1] "4.4 Single Logout Profile" in
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
and "3.7 Single Logout Protocol" in
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
both linked from http://saml.xml.org/saml-specifications

Jacob Christiansen

unread,
Sep 19, 2011, 3:16:18 AM9/19/11
to simple...@googlegroups.com
Hi.

The problem is that Google Apps do not support SAML2 Single Logout.
If you hit logout in Google Apps, Google will kill it's own session and just do a "plain" redirect to the Logout endpoint, that you have specified in Google Apps control panel. So if you want logout to work with your SSP installation, you need to implement some additional logic yourself.

Regards / Med venlig hilsen

Jacob Christiansen
System Developer
WAYF

Phone/Tlf: +45 31313631
Mail: ja...@wayf.dk
Skype: jacchristiansen

H. C. Andersens Boulevard 2
DK-1553 København V

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>


Scott Fortin

unread,
Sep 23, 2011, 10:00:08 PM9/23/11
to simpleSAMLphp
Thanks for getting back to me.

Once Google kills it's session it points back to the SSP server. What
URL would you put to kill the SSP session? And what, if any,
parameters would you pass to the SSP server? How does the SSP server
know which user to log out?


On Sep 19, 3:16 am, Jacob Christiansen <j...@wayf.dk> wrote:
> Hi.
>
> The problem is that Google Apps do not support SAML2 Single Logout.
> If you hit logout in Google Apps, Google will kill it's own session and just do a "plain" redirect to the Logout endpoint, that you have specified in Google Apps control panel. So if you want logout to work with your SSP installation, you need to implement some additional logic yourself.
>
> Regards / Med venlig hilsen
>
> Jacob Christiansen
> System Developer
> WAYF
>
> Phone/Tlf:      +45 31313631
> Mail:           j...@wayf.dk  
> Skype:          jacchristiansen
>
> H. C. Andersens Boulevard 2
> DK-1553 København V
>
> On Sep 17, 2011, at 1:40 PM, Peter Schober wrote:
>
>
>
> > * Scott Fortin <skot.for...@gmail.com> [2011-09-16 22:03]:
> >> I read that SAML2 does not support Single Logout but if that is true,
> >> how does a user logout?
>
> > No, the SAML2 specs do include ("support", if you wish) single logout
> > so wherever you read that, you can easily see it's wrong by looking
> > at the SAML2 specs[1] yourself.
> > SimpleSAMLphp implements some of the bindings usable for that, but
> > AFAIK Google Apps do not support SAML2 logout, they simply redirect to
> > some URL you can configure (which is not the same as SAML2 single
> > logout).
> > -peter
>
> > [1] "4.4 Single Logout Profile" in
> >    http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
> >    and "3.7 Single Logout Protocol" in
> >    http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
> >    both linked fromhttp://saml.xml.org/saml-specifications

Peter Schober

unread,
Sep 23, 2011, 10:39:26 PM9/23/11
to simpleSAMLphp
* Scott Fortin <skot....@gmail.com> [2011-09-24 04:00]:

> Once Google kills it's session it points back to the SSP server. What
> URL would you put to kill the SSP session? And what, if any,
> parameters would you pass to the SSP server? How does the SSP server
> know which user to log out?

As Google does not support SAML logout if you wanted to disable the
session at your SSP IdP you'd need to do that yourself (don't know if
SSP offers any helper functions for that, it probably does).
But you could redirect to any resource on your IdP vhost you want and
simply put some simple code there that overwrite's any cookies that
match the cookie name your SSP IDP sets (and present whatever text you
see fit for the user).
Note that since this is not Single Logout if you accessed any other
SAML SP besides the one you just logged out from (Google Apps in this
case) you'll still be logged in there and logout of from Google Apps
and destroying your session cookie at the IDP will not change that.
So telling users they're logged out when in fact you cannot know
whether they really are is not doing them a favor, security-wise.
-peter

Olav Morken

unread,
Sep 26, 2011, 6:40:05 AM9/26/11
to simpleSAMLphp
On Sat, Sep 24, 2011 at 04:39:26 +0200, Peter Schober wrote:
> * Scott Fortin <skot....@gmail.com> [2011-09-24 04:00]:
> > Once Google kills it's session it points back to the SSP server. What
> > URL would you put to kill the SSP session? And what, if any,
> > parameters would you pass to the SSP server? How does the SSP server
> > know which user to log out?
>
> As Google does not support SAML logout if you wanted to disable the
> session at your SSP IdP you'd need to do that yourself (don't know if
> SSP offers any helper functions for that, it probably does).

The simplest workaround is to point Google Apps to the IdP-initiated
single logout service endpoint. That will trigger a logout both at the
IdP and at all SPs the user is currently logged in to.

Unfortunately, if you are using the iframe logout handler, the Google
Apps SP will show up in the list of SPs that the IdP is attempting to
log the user out from. The logout will fail because there isn't a
SingleLogoutService endpoint registered for that SP.

To use the IdP initiated logout, point Google Apps to:

https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php?ReturnTo=https://some.page

Regards,
Olav Morken
UNINETT / Feide

Reply all
Reply to author
Forward
0 new messages