SingleLogoutService - IdP First
33 views
Skip to first unread message
khek...@gmail.com
Aug 29, 2017, 10:52:29 AM8/29/17
to SimpleSAMLphp
Hi,
i am trying to implement a logout procedure in my web application. I use a Shibboleth SP in my application and SimmpleSAMLphp is my Identity Provider.
I implemented a custom login procedure in my application with a custom HTTP Client (Guzzle), that it calls a login form on the idp... The login routine works well..in the idp's log i see the info and the user is logged in my application.
The logout routine is implemented with the call to the SLO IdP url (i see the docs here: https://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_5). There aren't errors or exception...but, unfortunately, the user stays connected.
This is my log on the IdP:
Aug 29 16:31:16 simplesamlphp INFO [725a48bd27] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Aug 29 16:31:16 simplesamlphp INFO [725a48bd27] SAML2.0 - IdP.SSOService: IdP initiated authentication: 'https://MYAPPLICATION/SP/shibboleth'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: 'YYYYYYYY' not valid because we are not authenticated.
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Saved state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDP/simplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%MYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Loading state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDPsimplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%2FMYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Template: Reading [/var/www/html/simplesamlphp/dictionaries/login]
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Loading state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDP/simplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%2FMYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Loading state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDP/simplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%2FMYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp NOTICE STAT [725a48bd27] User 'XXXXXXXXXXX' has been successfully authenticated.
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Deleting state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: doLogin("YYYYYYYY")
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: Valid session found with 'ZZZZ'.
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: Valid session found with 'ZZZZ'.
------------------------
Aug 29 16:32:29 simplesamlphp INFO [e06a2b4077] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Aug 29 16:32:29 simplesamlphp DEBUG [e06a2b4077] Saved state: '_5e749bc3a99e17642372d04401633178eba1d71b04'
Aug 29 16:32:29 simplesamlphp DEBUG [e06a2b4077] Session: 'YYYYYYYY' not valid because we are not authenticated.
Aug 29 16:32:29 simplesamlphp DEBUG [e06a2b4077] Loading state: '_5e749bc3a99e17642372d04401633178eba1d71b04'
The log on the SP receive the message when the user is logged in...when i try to disconnect the user, the SP don't receives any message from the IdP.
I implemented a custom login procedure in my application with a custom HTTP Client (Guzzle), that it calls a login form on the idp... The login routine works well..in the idp's log i see the info and the user is logged in my application.
The logout routine is implemented with the call to the SLO IdP url (i see the docs here: https://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_5). There aren't errors or exception...but, unfortunately, the user stays connected.
This is my log on the IdP:
Aug 29 16:31:16 simplesamlphp INFO [725a48bd27] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Aug 29 16:31:16 simplesamlphp INFO [725a48bd27] SAML2.0 - IdP.SSOService: IdP initiated authentication: 'https://MYAPPLICATION/SP/shibboleth'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: 'YYYYYYYY' not valid because we are not authenticated.
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Saved state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDP/simplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%MYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Loading state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDPsimplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%2FMYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Template: Reading [/var/www/html/simplesamlphp/dictionaries/login]
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Loading state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDP/simplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%2FMYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Loading state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530:https://MYIDP/simplesaml/saml2/idp/SSOService.php?spentityid=https%3A%2F%2FMYAPPLICATION%2Fshibboleth&cookieTime=1504017076'
Aug 29 16:31:16 simplesamlphp NOTICE STAT [725a48bd27] User 'XXXXXXXXXXX' has been successfully authenticated.
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Deleting state: '_f2e0e542e08509ec0d4c1c50e6cc080fc5c0201530'
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: doLogin("YYYYYYYY")
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: Valid session found with 'ZZZZ'.
Aug 29 16:31:16 simplesamlphp DEBUG [725a48bd27] Session: Valid session found with 'ZZZZ'.
------------------------
Aug 29 16:32:29 simplesamlphp INFO [e06a2b4077] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Aug 29 16:32:29 simplesamlphp DEBUG [e06a2b4077] Saved state: '_5e749bc3a99e17642372d04401633178eba1d71b04'
Aug 29 16:32:29 simplesamlphp DEBUG [e06a2b4077] Session: 'YYYYYYYY' not valid because we are not authenticated.
Aug 29 16:32:29 simplesamlphp DEBUG [e06a2b4077] Loading state: '_5e749bc3a99e17642372d04401633178eba1d71b04'
The log on the SP receive the message when the user is logged in...when i try to disconnect the user, the SP don't receives any message from the IdP.
Any ideas as to what else I should check to diagnose this problem?
Thank you for the help and sorry for my english!!
Francesco Sansone
Thank you for the help and sorry for my english!!
Francesco Sansone
Peter Schober
Aug 29, 2017, 11:10:37 AM8/29/17
to SimpleSAMLphp
* khek...@gmail.com <khek...@gmail.com> [2017-08-29 16:52]:
be interacting with the IDP -- whether that's using the SAML Web SSO
Profile (which you seem to be misusing here) or the SAML ECP profile
(which /is/ meant for programmatic interaction with the IDP and SP).
So what's going on here?
-peter
> I implemented a custom login procedure in my application with a
> custom HTTP Client (Guzzle), that it calls a login form on the
> idp...
That doesn't sound right. Only the subject's HTTP User Agent should
> custom HTTP Client (Guzzle), that it calls a login form on the
> idp...
be interacting with the IDP -- whether that's using the SAML Web SSO
Profile (which you seem to be misusing here) or the SAML ECP profile
(which /is/ meant for programmatic interaction with the IDP and SP).
So what's going on here?
-peter
khek...@gmail.com
Aug 29, 2017, 11:54:22 AM8/29/17
to SimpleSAMLphp, peter....@univie.ac.at
First of all, thanks for your answer.
Sorry...but why isn't correct make login programmatically? Sorry..i'll try to understand how it works...
My goal is to implement a procedure that it don't call directly the login form on idp but it executes the login interaction with the idp programmatically, through the use of a client HTTP and with the logout that it works fine...Maybe is my way not correct? Is possible to login the user programmatically? What is the best choice to do it?
Best regard
Francesco
Peter Schober
Aug 29, 2017, 12:25:09 PM8/29/17
to SimpleSAMLphp
* khek...@gmail.com <khek...@gmail.com> [2017-08-29 17:54]:
though the SAML 2.0 ECP Profile was written for this. Whether your
use-case is a good match for the ECP Profile I couldn't say.
Personally I wouldn't want to be exposed to /any/ code that grabs my
password verbatim and impersonates me to other services.
Also it's important to understand for subjects /where/ they may enter
their credenials safely. I'd certainly not allow your web site
grabbing and replying my password to my IDP.
Something that's not the IDP (or an ECP client running under my
control) has no right/business to ask for my password, IMHO.
But YMMV and I'm aware I did not comment on your actual question.
-peter
> Sorry...but why isn't correct make login programmatically?
> Sorry..i'll try to understand how it works...
It's not appropriate when using the SAML 2.0 Web Browser SSO Profile,
> Sorry..i'll try to understand how it works...
though the SAML 2.0 ECP Profile was written for this. Whether your
use-case is a good match for the ECP Profile I couldn't say.
Personally I wouldn't want to be exposed to /any/ code that grabs my
password verbatim and impersonates me to other services.
Also it's important to understand for subjects /where/ they may enter
their credenials safely. I'd certainly not allow your web site
grabbing and replying my password to my IDP.
Something that's not the IDP (or an ECP client running under my
control) has no right/business to ask for my password, IMHO.
But YMMV and I'm aware I did not comment on your actual question.
-peter
Reply all
Reply to author
Forward
0 new messages