Google Apps SSO logout behavior
2,069 views
Skip to first unread message
shambeaus
Nov 22, 2010, 1:29:43 PM11/22/10
to simpleSAMLphp
I have recently configured SimpleSAMLphp to perform single sign-on for
our google apps for education domain. When testing out user accounts,
I am able to log in correctly but logging off is inconsistent. If I
log off immediately after logging in It correctly returns me to my
SimpleSAMLphp logout page. If I stay logged in for any period of time
and try to log off it will redirect me to a goole page listing "The
page you requested is invalid." The link provided for this is:
http://www.google.com/accounts/Logout2?service=writely&ilo=1&ils=cl,wise&ilc=0&continue=http://sso.spasd.k12.wi.us/simplesaml/saml2/idp/initSLO.php%3FRelayState%3D/simplesaml/logout.php&zx=469831634
If I go back a page to the docs main page, then click sign off it
works correctly again. Is this possibly a session timeout issue? The
following information is from the syslog when I have a failed attempt
at logging off:
Nov 22 10:06:13 sso simplesamlphp[16922]: 5 STAT [16071fc1c7] saml20-
idp-SSO-first google.com http://sso.spasd.k12.wi.us/simplesaml/saml2/idp/metadata.php
NA
Nov 22 10:06:13 sso simplesamlphp[16922]: 5 STAT [16071fc1c7] saml20-
idp-SSO google.com http://sso.spasd.k12.wi.us/simplesaml/saml2/idp/metadata.php
NA
Nov 22 10:06:19 sso simplesamlphp[16922]: 4 [16071fc1c7] Unable to
initialize logout to 'saml:google.com'.
our google apps for education domain. When testing out user accounts,
I am able to log in correctly but logging off is inconsistent. If I
log off immediately after logging in It correctly returns me to my
SimpleSAMLphp logout page. If I stay logged in for any period of time
and try to log off it will redirect me to a goole page listing "The
page you requested is invalid." The link provided for this is:
http://www.google.com/accounts/Logout2?service=writely&ilo=1&ils=cl,wise&ilc=0&continue=http://sso.spasd.k12.wi.us/simplesaml/saml2/idp/initSLO.php%3FRelayState%3D/simplesaml/logout.php&zx=469831634
If I go back a page to the docs main page, then click sign off it
works correctly again. Is this possibly a session timeout issue? The
following information is from the syslog when I have a failed attempt
at logging off:
Nov 22 10:06:13 sso simplesamlphp[16922]: 5 STAT [16071fc1c7] saml20-
idp-SSO-first google.com http://sso.spasd.k12.wi.us/simplesaml/saml2/idp/metadata.php
NA
Nov 22 10:06:13 sso simplesamlphp[16922]: 5 STAT [16071fc1c7] saml20-
idp-SSO google.com http://sso.spasd.k12.wi.us/simplesaml/saml2/idp/metadata.php
NA
Nov 22 10:06:19 sso simplesamlphp[16922]: 4 [16071fc1c7] Unable to
initialize logout to 'saml:google.com'.
Olav Morken
Nov 25, 2010, 7:03:08 AM11/25/10
to simple...@googlegroups.com
This indicates that the session hasn't expired. If the session had
expired, we wouldn't remember that we were connected to the google SP.
> NA
>
> Nov 22 10:06:19 sso simplesamlphp[16922]: 4 [16071fc1c7] Unable to
> initialize logout to 'saml:google.com'.
You should always receive that entry in the logs, since Google doesn't
support SAML 2 global logout. However, you should still end up on the
logout page afterwards.
Could you check your Apache access log and error log? It is possible
that we ran into an error that was severe enough that PHP aborted
execution of the script.
Regards,
Olav Morken
UNINETT / Feide
Nate Klingenstein
Apr 26, 2013, 2:08:29 AM4/26/13
to <simplesamlphp@googlegroups.com>, <olav.morken@uninett.no>, <masover@berkeley.edu>
I think your diagnosis of this needs to start at the Shibboleth SP end by looking at the logs and the LogoutResponse message that is received. I would imagine it's either unsigned or the signature has validation issues. From there you should learn more
about where the message is coming from and what it says.
The LogoutResponse may have been issued by Google rather than the simpleSAMLphp gateway, and Google may be untrusted by the second SP.
Something is supported somewhere or you wouldn't get an error message at all.
On Apr 26, 2013, at 1:20 , Keith Hazelton wrote:
I'm using a simpleSAMLphp-based social2SAML gateway plus the Drupal shib_auth module to support shib login to Drupal.
I'd like to allow people to logout and log back in with another account using the embedded discovery service. The eventual goal is to support account linking.
It's working fine except for logout from social IdPs (Google for one example). I'm guessing this is because logout is not supported by Google. However an error message pops up on the user's browser and is probably disconcerting. If you hit the back button, you're back to the login screen as desired.
Just wondering if there's a way to catch the error before it shows up in the browser. Here's the message that shows up after logging out of Google:
----------
opensaml::SecurityPolicyException
The system encountered an error at Fri Apr 26 01:11:09 2013
To report this problem, please contact the site administrator at khaz...@gmail.com.
Please include the following message in any email:
opensaml::SecurityPolicyException at (https://cerif.org/Shibboleth.sso/SLO/Redirect)
Security of LogoutResponse not established.
---------
Thanks in advance, --Keith Hazelton
________________________________________
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Keith Hazelton
Apr 26, 2013, 8:09:18 AM4/26/13
to simple...@googlegroups.com, Steve MASOVER
Thanks, Nate,
In /var/log/httpd/native.log I see this:
2013-04-26 01:11:09 ERROR Shibboleth.Listener [14654] shib_handler: remoted message returned an error: Security of LogoutResponse not established.
2013-04-26 01:11:09 ERROR Shibboleth.Apache [14654] shib_handler: Security of LogoutResponse not established.
There's nothing interesting in /var/log/shibboleth/shibd.log, shibd_warn.log or transaction.log.
Should I be looking somewhere else? --Keith
________________________
Nate Klingenstein
Apr 26, 2013, 9:02:10 AM4/26/13
to <simplesamlphp@googlegroups.com>, Steve MASOVER
Do you have the ability to turn logging up to a higher level? I'm specifically interested in seeing the protocol message coming into the SP, which should be captured on debug.
It wouldn't shock me if the SP's error handling behavior here were not perfect given the (not widespread) usage of SLO, but I bet you'd find something more interesting with the logging turned up. I find it strange that the message showed up in native.log
and not shibd.log, though.
Sorry to simpleSAMLphp for borrowing your lists for this -- we send a lot of deployers this way in return. :D
Olav Morken
Apr 26, 2013, 9:42:37 AM4/26/13
to simple...@googlegroups.com
On Fri, Apr 26, 2013 at 13:02:10 +0000, Nate Klingenstein wrote:
> Do you have the ability to turn logging up to a higher level? I'm specifically interested in seeing the protocol message coming into the SP, which should be captured on debug.
>
> It wouldn't shock me if the SP's error handling behavior here were not perfect given the (not widespread) usage of SLO, but I bet you'd find something more interesting with the logging turned up. I find it strange that the message showed up in native.log and not shibd.log, though.
>
> Sorry to simpleSAMLphp for borrowing your lists for this -- we send a lot of deployers this way in return. :D
For historic reasons, signing of logout messages by the simpleSAMLphp
> Do you have the ability to turn logging up to a higher level? I'm specifically interested in seeing the protocol message coming into the SP, which should be captured on debug.
>
> It wouldn't shock me if the SP's error handling behavior here were not perfect given the (not widespread) usage of SLO, but I bet you'd find something more interesting with the logging turned up. I find it strange that the message showed up in native.log and not shibd.log, though.
>
> Sorry to simpleSAMLphp for borrowing your lists for this -- we send a lot of deployers this way in return. :D
IdP is not enabled by default, so my guess would be that this is the
source of the error.
If it is not already present, try adding:
'sign.logout' => TRUE,
to your IdP in metadata/saml20-idp-hosted.php
Best regards,
Keith Hazelton
Apr 26, 2013, 11:02:48 AM4/26/13
to simple...@googlegroups.com, Steve Masover
Olav,
That was it. Problem solved.
Mange takk, --Keith
___________________
That was it. Problem solved.
Mange takk, --Keith
___________________
Reply all
Reply to author
Forward
0 new messages