Connecting SimpleSAMLphp to Zoho
90 views
Skip to first unread message
rdalm...@gmail.com
Jan 20, 2021, 10:58:34 AM1/20/21
to SimpleSAMLphp
Hey guys,
For a few years I have been using SimpleSAMLphp successfully. Recently an issue has come up where I am trying to connect to Zoho.
In a normal situation I would just read the metadata URL and be done with it however Zoho doesn't offer any metadata URL, instead they offer these URLs (anonimized):
Default Relay State
xxxxxxRedirect URL (For Microsoft Azure)
Entity ID (Issuer)
The login routine is working by using the Request URL, however the logout routine is failing.
The logout fails with this error:
You accessed the SingleLogoutService interface, but did not provide a
SAML LogoutRequest or LogoutResponse. Please note that this endpoint is
not intended to be accessed directly.
The reason it fails as far as I can see is that we do not receive any SAML response. I have listed as logout URL <domain>/sso/saml2/idp/SingleLogoutService.php in their configuration. They do not import metadata either.
Their support told me that they do not send any SAML response to the logout URL, only redirect.
Does anybody know if I should use the SimpleSAMLphp logout URL or just my own? If this needs to be a SimpleSAMLphp link, do I need to do something with that Relaystate perhaps?
If I just put my own URL, the user will never be logged out of SimpleSAMLphp.
Thank you for any insights.
Kind regards,
Roland
pat...@cirrusidentity.com
Jan 20, 2021, 4:45:57 PM1/20/21
to SimpleSAMLphp
The SingleLogoutService.php endpoint is expecting a SAML logout request and is not a location you can visit to initiate a logout.
We've had enough SPs that don't send SAML logout messages and instead redirect users there that we ended up patching ours (patch attached).
What's right for you really depends on how you want logout to work. Should logging out of Zoho log the user out of every app? Then you can use the patch.
If not, then you can send them somewhere telling them to close their browser or send them to '/SSP-INSTALL_PATH/logout.php' and set the message you want displayed via your theme + dictionary override.
-Patrick
rdalm...@gmail.com
Jan 21, 2021, 3:15:52 PM1/21/21
to SimpleSAMLphp
Hello Patrick,
Thank you for your response, it is appreciated. Aha, so it is not uncommon for SPs not to send a SAML logout request. The patch looks promising, so I am going to give that a try. At the very least I know I don't have to chase a non-existing SAML request :)
Have a great day.
Thank you for your response, it is appreciated. Aha, so it is not uncommon for SPs not to send a SAML logout request. The patch looks promising, so I am going to give that a try. At the very least I know I don't have to chase a non-existing SAML request :)
Have a great day.
Reply all
Reply to author
Forward
0 new messages