SimpleSAMLphp Partial Single Logout
1,357 views
Skip to first unread message
abhi3...@gmail.com
May 8, 2017, 12:43:46 AM5/8/17
to SimpleSAMLphp
Hi all,
I decided to implement
Single Sign On SSO and Single Logout SLO using SimpleSAMLPhP by following https://simplesamlphp.org/docs/stable/ for my project. i was able to implement the SSO, but for SLO, it was implemented partiallyi.e If I logout from Service Provider (SP), my Identity Provider (IDP) also gets logout, but if I initiate logout from my IDP, my SP didn't got logout.
If you all need any other information let me know, Thanks for the help
My IDP's saml20-idp-hosted
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'example.org.pem',
'certificate' => 'example.org.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-userpass',
//'logouttype' => 'iframe',
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);My IDP's saml20-sp-remote
$metadata['http://service.example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://service.example.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://service.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'http://service.example.com/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'http://service.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'http://service.example.com/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
'certData' => 'MIIDazCCAlOgAwIBAgIJAJ653EqbAryJMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdORVdZT1JLMQwwCgYDVQQHDANOWUMxDzANBgNVBAoMBlNTTlRQTDEMMAoGA1UECwwDREVWMB4XDTE3MDUwNDEyMjMzOFoXDTI3MDUwNDEyMjMzOFowTDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB05FV1lPUksxDDAKBgNVBAcMA05ZQzEPMA0GA1UECgwGU1NOVFBMMQwwCgYDVQQLDANERVYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XfZhpHhuBHLf0UgnUGOv9zP04OMbRgmD/AI/jL4A2GONrOJYdlsCJcU9sAySBFxwZ8UkpkWYzjpzqjRc2ZmSYQmUt9m7raYciynLlcWP5FKdvZjmlTbjL0XGSGtOi4a39A/eYp5JmOx1eZT5jStiFJCUtzEqHfUYO/foGaaGxAqwur2q/8eiaW1PuKjxSRkuGek3i83lWmMAkkxT74YMrpuB2YP2N7wiiIm/ChYI4enYCWQpB8kpSujRzd/OLCL2tNc4Bp8Qhs2mOw46i5arkzzBtIKE0up6wpLsRT+mNpO1lqD9M7EAPi8JZBK7kh/9kJXqaCdXAeJvd18Z+uAZAgMBAAGjUDBOMB0GA1UdDgQWBBTuu/EDcjRd9Mtk3R4IJveBU/mpAjAfBgNVHSMEGDAWgBTuu/EDcjRd9Mtk3R4IJveBU/mpAjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAy20lxkQ9lR2wzUsH7jfYJNXJ2/Qc34YHguGDuxzMGzAPVu6CHUygUlaUBW/QTCam/xvru/pqsKAzs0FYiuImJr/X6wbJpDZNcvd/27ZuXbGK7N0k/F446KA9VOh8F7eRa0S3+WqU1MpnBxIvYT0D0xsSKDBKhx/giLaQMJv73PHFC+UXFmUnd/U4fcJc4gUJC2vAjr43DJjvQxJC13x9XqjIpaE/57Un2+zIujIvm3ChHu/kdmtwBIXLLehKJO5NqvkqoWJ4n1Mk8lZkRjsXFKCxJInnhRDLvwDj+ruPvpGZrK3VdUfjQQ06EmwCzvXRKetUU02R0k660pr2e6ngk',
);MY SP's saml20-idp-remote
$metadata['http://service.ssntpl.com/simplesaml/saml2/idp/metadata.php'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'http://service.ssntpl.com/simplesaml/saml2/idp/metadata.php',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://service.ssntpl.com/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://service.ssntpl.com/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'MIIDazCCAlOgAwIBAgIJAKBDKYu8FJdhMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdORVdZT1JLMQwwCgYDVQQHDANOWUMxDzANBgNVBAoMBlNTTlRQTDEMMAoGA1UECwwDREVWMB4XDTE3MDUwNDEyMTMyMloXDTI3MDUwNDEyMTMyMlowTDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB05FV1lPUksxDDAKBgNVBAcMA05ZQzEPMA0GA1UECgwGU1NOVFBMMQwwCgYDVQQLDANERVYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1TMKfjMZdCC5/P9/zzLo/Gt5+Yyjx+SVD/rtzVAHbJlMNnLT1DTUrEqnsVs8BclPGDzoMgWFJsCrbAnGQ3eO/qsJzhFMmyYpaJbcAX6N5UaxYzNjlrR6jzkGZkSXiXXDUiZHfU+nL07Xiaa+dPpBnytnQx27nGRk72OrMcoZfX39PjAC9gu7n89wHeXgGjF71+d3tE6e+rXG0kainGfAPuy5CYQprTFRuJTGH36BM9XjtzQu80uJ2Izh75u22pi5I0ze6bQ1pqH2m/gOcsFHkOLl729rPrdBN6VgM99ib+CDOa5+iwhOpZVANdT4QHEAYVVWO0fO/SDLx1uQQ3majAgMBAAGjUDBOMB0GA1UdDgQWBBSCKl1N/wX+IzpVxjbFvIULg8G8wDAfBgNVHSMEGDAWgBSCKl1N/wX+IzpVxjbFvIULg8G8wDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBIVQzXoympqzWGa6rrXF5QKWTuZ1B1QohpzdJ8Le4njy8zphwzjQN3ZOnVgvszQcmzSJl9j1CduFNYFlywU5XeSjFLqZkWCXvRFk+hOBEFY1b1XXHQ1YP/wuUiCNPdCOq6lUVREqFIrpVgdA1boWWwGYbjDNHIejRACJXATAgF59Ce4mPlNn/MhluLNsvtR/TvsIwmgkQfc2rtKGdMFBjIr2hqGRLs6uxf2ICTVPLVyWLGSpAJvBr29LTmutRyiXPGiaZkdPXXJTSnB++FZn0kuHZx1WlZUvzGQa8oc9scYLNLL3zAQ60twl4KetaiCEzS7xr2aY2G23kcPrZCABo6',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);MY SP saml20-idp-hosted
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-userpass',
);I tried finding relevant information regarding Single Logout but was not very successful. I apologize in advance if I did anything stupid, but I need help.
Thanks and Regards,
Abhishek Choudhery
Peter Schober
May 8, 2017, 7:13:32 AM5/8/17
to SimpleSAMLphp
* abhi3...@gmail.com <abhi3...@gmail.com> [2017-05-08 06:43]:
SAML logout protocol message to the SP at all? Or just that you were
able to continue using the application protected by the SP even after
IDP-initialted SLO? Is there a separate application involved at the SP
side, or are you testing only with SimpleSAMLphp itself? If there's an
application does it have its own session and cookies? etc.
-peter
> i.e If I logout from Service Provider (SP), my Identity Provider
> (IDP) also gets logout, but if I initiate logout from my IDP, my SP
> didn't got logout.
How did you determine that to be the case? Are you saying there was no
> (IDP) also gets logout, but if I initiate logout from my IDP, my SP
> didn't got logout.
SAML logout protocol message to the SP at all? Or just that you were
able to continue using the application protected by the SP even after
IDP-initialted SLO? Is there a separate application involved at the SP
side, or are you testing only with SimpleSAMLphp itself? If there's an
application does it have its own session and cookies? etc.
-peter
Abhishek Choudhery
May 8, 2017, 7:25:50 AM5/8/17
to simple...@googlegroups.com
Hi,
when I logout from SP and refresh the IDP page, the IDP again asks for the authentication, whereas on the other hand if I logout from IDP and referesh the SP page it doesn't ask for the credentials, so you can say that I was able to continue use the SP application. I have two separate instances of SimpleSAMLphp running at two different domains i.e service.example.com/saml (SP) and service.ssntpl.com (IDP) on local host . i am following this https://simplesamlphp.org/
when I logout from SP and refresh the IDP page, the IDP again asks for the authentication, whereas on the other hand if I logout from IDP and referesh the SP page it doesn't ask for the credentials, so you can say that I was able to continue use the SP application. I have two separate instances of SimpleSAMLphp running at two different domains i.e service.example.com/saml (SP) and service.ssntpl.com (IDP) on local host . i am following this https://simplesamlphp.org/
Thanks
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/gLhhjQNf8Z4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Abhishek Choudhery
May 9, 2017, 1:37:48 AM5/9/17
to SimpleSAMLphp
Hi,
I again read the installation guide and https://simplesamlphp.org/docs/stable/simplesamlphp-sp-migration under the section 4.7, It was written
4.7 IdP initiated logout
This is used by the IdP if the user logs out of a different SP connected to the IdP. In this case, the user should also be logged out of your application.
The easiest way to test this is if you have two SPs connected to the IdP. You can then log out of one SP and check that you are also logged out of the other.
So I connected to another SP to test it, it was doing as told above.
Now My confusion is What happens in IDP initiated logout ? We logout from IDP or not? , or if we logout from one SP and we logout from rest of SP ?
Actually at the end I wanted to model it on google, where if I logout from myaccounts.google.com, I am automatically logout from gmail etc. Please help me by pointing in right direction so how can I achieve it
Thanks
Abhishek Choudhery
May 10, 2017, 12:48:19 AM5/10/17
to SimpleSAMLphp
Hi,
Anyone ??
Anyone ??
Jaime Perez Crespo
May 10, 2017, 4:38:36 AM5/10/17
to SimpleSAMLphp
Hi Abhishek,
On 9 May2017, at 07:37 AM, Abhishek Choudhery <abhi3...@gmail.com> wrote:
> Hi,
>
> I again read the installation guide and https://simplesamlphp.org/docs/stable/simplesamlphp-sp-migration under the section 4.7, It was written
That document is quite old and targeted at those using the API offered in early versions of SimpleSAMLphp, so you can ignore it completely.
SimpleSAMLphp supports Single Logout. This means that if you have two services connected to your IdP, and a valid session on both, when you start logout in one of the services, the IdP will propagate that logout to any other services with valid sessions (actually called “associations” in SimpleSAMLphp).
If the source of your confusion is Google, as far as I know they don’t support Single Logout, meaning they can initiate SAML logout but they cannot receive logout requests. This may have changed recently, though.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 9 May2017, at 07:37 AM, Abhishek Choudhery <abhi3...@gmail.com> wrote:
> Hi,
>
> I again read the installation guide and https://simplesamlphp.org/docs/stable/simplesamlphp-sp-migration under the section 4.7, It was written
SimpleSAMLphp supports Single Logout. This means that if you have two services connected to your IdP, and a valid session on both, when you start logout in one of the services, the IdP will propagate that logout to any other services with valid sessions (actually called “associations” in SimpleSAMLphp).
If the source of your confusion is Google, as far as I know they don’t support Single Logout, meaning they can initiate SAML logout but they cannot receive logout requests. This may have changed recently, though.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Abhishek Choudhery
May 10, 2017, 5:19:51 AM5/10/17
to SimpleSAMLphp
Thanks :-)
Reply all
Reply to author
Forward
0 new messages