Missing RelayState in logout response?
Fedyukin, Alexander
error message:
BADREQUEST('%REASON%' => 'Missing RelayState in logout response.')
0: /home/y/var/simplesamlphp/modules/saml/www/sp/saml2-logout.php:45
(require)
1: /home/y/var/simplesamlphp/www/module.php:137 (N/A)
Essentially, the SP sends logout request to the IDP which seems to
work fine (no errors in the IDP log). However, the IDP sends back SAML
response that does not have a RelayState set.
Do we need to add something to IDP or SP metadata or other
configuration files?
Olav Morken
It looks like the IdP doesn't include the RelayState with the
LogoutResponse message. The LogoutRequest was send with the
HTTP-Redirect binding, with a RelayState parameter, and the SP expects
the IdP to reply using the HTTP-Redirect binding, and include the same
RelayState with the response message.
As for why the IdP does not include this with its response, I do not
know. If it is a simpleSAMLphp IdP, it should include it automatically.
--
Olav Morken
UNINETT / Feide
Fedyukin, Alexander
user should end up on after logout. How would IDP know what it should
be unless it is explicitly configured? We are using SimpleSAML IDP.
As a workaround, we specified the RelayState in the logout link
similar to the example here: http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps
However, I am wondering why it points to 'initSLO.php' while default
metadata points to 'SingleLogoutService.php'. Note,
SingleLogoutService.php does not accept RelayState as parameter.
Alexander
> smime.p7s
> 3KViewDownload
Olav Morken
> If my understanding is correct, the RelayState means a page that the
> user should end up on after logout. How would IDP know what it should
> be unless it is explicitly configured? We are using SimpleSAML IDP.
The IdP receives its RelayState from the SP alongside the LogoutRequest
message.
> As a workaround, we specified the RelayState in the logout link
> similar to the example here: http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps
>
> However, I am wondering why it points to 'initSLO.php' while default
> metadata points to 'SingleLogoutService.php'.
That one refers to IdP initiated logout (since Google Apps does not
support SP initiated logout), and saml2/idp/initSLO.php is the handler
for that.
> Note,
> SingleLogoutService.php does not accept RelayState as parameter.
No, SingleLogoutService.php is the endpoint for SAML 2 LogoutRequest
and LogoutResponse messages.
Regarding the original error: You didn't by any chance start the logout
with the old SP implementation (redirecting to saml2/sp/initSLO.php)?
That would explain the error you saw, since the logout response was
delivered to the new SP implementation.
Adam Lantos
>> Note,
>> SingleLogoutService.php does not accept RelayState as parameter.
>
> No, SingleLogoutService.php is the endpoint for SAML 2 LogoutRequest
> and LogoutResponse messages.
>
RelayState is not SAML protocol message-dependant, rather
binding-dependant (ie the SOAP binding does not support it, HTTP-*
bindings do). So I think SingleLogout endpoints must support
RelayState with HTTP-* bindings.
cheers,
Adam
Olav Morken
And saml2/idp/SingleLogoutService.php accepts RelayState alongside a
LogoutRequest message, and will pass that RelayState back to the SP
when sending the LogoutResponse message.
It will not accept a request with only RelayState, since it has no idea
what to do in that case.
Adam Lantos
> what to do in that case.
oh and _now_ I understand the original question :)
pardon me for being the smart guy again..
cheers,
Adam
Alexander Fedyukin
configured authentication sources" on SP. It looks something like:
https://<sphost>/simplesaml/module.php/core/authenticate.php?logout
The IDp indeed does not include the RelayState into the LogoutResponse message.
That was probably because the SP did not include the RelayState alongside a
LogoutRequest message when forwarding to <idp
host>saml2/idp/SingleLogoutService.php
So that, how do ensure that SP includes the RelayState when sending
LogoutRequest to IDP?
Also, is it true that RelayState parameter refers to the page the user
should go to after logout (in case of logout request)?
If yes, where am I supposed to configure what it is?
Alexander
Olav Morken
> No, I would get this error when I click on the logout link under "test
> configured authentication sources" on SP. It looks something like:
>
> https://<sphost>/simplesaml/module.php/core/authenticate.php?logout
>
> The IDp indeed does not include the RelayState into the LogoutResponse message.
>
> That was probably because the SP did not include the RelayState alongside a
> LogoutRequest message when forwarding to <idp
> host>saml2/idp/SingleLogoutService.php
Now I'm confused - that SP implementation has always depended on the
RelayState being carried across the logout, and has therefore always
included it. Are you sure that it isn't present? It should look like
this:
.../SingleLogoutService.php?SAMLRequest=rVJNb[...]&RelayState=_9403633389ce49e2e63436a068aaf86fa97546a0be
> So that, how do ensure that SP includes the RelayState when sending
> LogoutRequest to IDP?
No configuration should be necessary.
> Also, is it true that RelayState parameter refers to the page the user
> should go to after logout (in case of logout request)?
No, not directly. The specifications allow you to use the RelayState to
store arbitrary data, and what we store is an identifier. When the
logout response is received, the identifier is used to look up data
that tells us what to do next. That action could be to redirect to an
URL the user should be redirected to, but it could also be to run some
code.
> If yes, where am I supposed to configure what it is?
When starting SP-initiated logout, you have two functions that you can
call:
$as->logout($url); [1]
$as->getLogoutURL($url); [2]
The $url argument decides which page you should land on after logout.
You can also just use a link to:
.../simplesaml/module.php/core/as_logout.php?AuthId=<authentication source>&ReturnTo=<return URL>
[1] http://simplesamlphp.org/docs/1.5/simplesamlphp-sp-api#section_4
[2] http://simplesamlphp.org/docs/1.5/simplesamlphp-sp-api#section_7