LogoutHandler and application logout of an Angular based Webapp

91 views
Skip to first unread message

Fidora, Gordon

unread,
Aug 9, 2023, 4:46:12 AM8/9/23
to simple...@googlegroups.com

Good morning,

 

I have a question regarding the LogoutHandler of simpleSAMLPHP:

Up to now I killed the session of my Client-Server-PHP-Applications in the LogoutHandler and the user was also logged out for the application.

 

We have now a new WebApp based on Angular – and we cannot use the php-sessionId for application Logout:
After an successfully SimpleSAMLphp-Login I set a cookie and the user can use the WebApp.

If I do now a global Logout from our central Web-Portal the IDP sends a SAML-Logout request. The SimpleSAMLphp LogoutHandler is executed, but

I am not able to unset the cookie of the Webapp.

 

SimpleSamlPHP logout works – WebApp logout doesn’t. What can I do in this case?

 

Best regards

Gordon



KRONE Business Center GmbH & Co. KG - Kreuzweg 3 - 49740 Haselünne - Registergericht: Amtsgericht Osnabrück HRA 206416
Komplementärin: KRONE Business Center Verwaltungs-GmbH, Amtsgericht Osnabrück HRB 213356
Geschäftsführer: Stefan Böckmann, Dr. Goy-Hinrich Korn, Dr. David Frink

Peter Brand

unread,
Aug 9, 2023, 6:48:46 AM8/9/23
to simple...@googlegroups.com
* Fidora, Gordon <Gordon...@krone.de> [2023-08-09 10:46]:
> We have now a new WebApp based on Angular - and we cannot use the
> php-sessionId for application Logout:
> After an successfully SimpleSAMLphp-Login I set a cookie and the user can use the WebApp.
> If I do now a global Logout from our central Web-Portal the IDP
> sends a SAML-Logout request. The SimpleSAMLphp LogoutHandler is
> executed, but I am not able to unset the cookie of the Webapp.
>
> SimpleSamlPHP logout works - WebApp logout doesn't. What can I do in
> this case?

Did you trace the HTTP Request and Response Headers during SSO and
SLO, specifically on what URLs and with what parameters (esp. Cookie
path) that cookie of yours is being set, and at what specific URL
you're trying to unset it?

Is that SLO request from the IDP a front-channel request (i.e., does
it involve a redirect of the browser, either full-frame or within an
iframe -- which only works with third-party cookies enabled in the
browser) or a back-channel request (being sent directly from the IDP
to the SP; assuming SSP even implements those)?

Without the browser being present on logout you wouldn't know what
session cookie to delete (since the browser can't present the
cookie). If that were the here case (though I doubt it) you'd have to
index the session during SSO with something from the SAML
Response/Assertion that you'd also recieve again in an SAML SLO
request (could be a session id of some sorts or maybe a SAML
NameID). That way you could still revoke the server-side session
(represented by cookie on the client/browser side) without having to
know what the cookie value is.

-peter

Tim van Dijen

unread,
Aug 10, 2023, 3:42:21 AM8/10/23
to SimpleSAMLphp
Hi Gordon,

Two things:
- You can customize the LogoutHandler by passing a 'ReturnCallback' parameter to the logout()-method.
  After the LogoutHandler finishes, it will call the custom callback method to deal with your application-specific stuff.
- You can close the SSP session and give control back to your application session by calling \SimpleSAML\Session::getSessionFromRequest()->cleanup();
  Then you you should be able to properly kill the session in the application / remove the cookie.

- Tim
Op woensdag 9 augustus 2023 om 12:48:46 UTC+2 schreef Peter Brand:

Fidora, Gordon

unread,
Aug 10, 2023, 10:43:50 AM8/10/23
to simple...@googlegroups.com

Hi Tim, hi Peter,

thanks for your answers.

 

The applications runs in an iframe. I assume it’s a front channel request. I can track

the SAML-Logout-Response via a browser plugin.

 

>You can customize the LogoutHandler by passing a 'ReturnCallback' parameter to the logout()-method.

>After the LogoutHandler finishes, it will call the custom callback method to deal with your application-specific stuff.

Sorry, I don’t know how to do that. Could you please give me a little example?

 

In generally and detached from the logout-Handler:

Isn’t it possible to redirect after a successfully logout-roundtrip to a specific url, which handles the application-logout-process?
Maybe this redirect-URL information has to be set in the IDP-logout-Metadata?

 

Best regards, Gordon

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/23d4c01c-5039-46b5-9c7a-248cf6b7c0f3n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages