CMS Version
3.0.0
Issue
I am now trying to use single sign-on and single logout via ADFS in my Xibo cms.
I have successfully connect Xibo cms and ADFS for the SSO part.
However, for SLO, the ADFS did not provide a logout response with status:Success
, but a status:Requester
instead.
settings-custom.php
<?php
# If you need to add custom configuration settings to the CMS settings.php file,
# this is the place to do it.
# For example, if you want to configure SAML authentication, you can add the
# required configuration here
$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = array (
'workflow' => array(
// Enable/Disable Just-In-Time provisioning
'jit' => true,
// Attribute to identify the user
'field_to_identify' => 'UserName', // Alternatives: UserID, UserName or email
// Default libraryQuota assigned to the created user by JIT
'libraryQuota' => 1000,
// Initial User Group
'group' => 'Users',
// Home Page
'homePage' => 'icondashboard.view',
// Enable/Disable Single Logout
'slo' => true,
// Attribute mapping between XIBO-CMS and the IdP
'mapping' => array (
# 'UserID' => '3',
# 'usertypeid' => '3',
'UserName' => 'uid',
'email' => 'mail',
)
),
// Settings for the PHP-SAML toolkit.
// See documentation: https://github.com/onelogin/php-saml#settings
'strict' => false,
'debug' => true,
'idp' => array (
'entityId' => 'http://adfs.mydomain.com.hk/adfs/services/trust',
'singleSignOnService' => array (
'url' => 'https://adfs.mydomain.com.hk/adfs/ls/',
),
'singleLogoutService' => array (
'url' => 'https://adfs.mydomain.com.hk/adfs/ls/',
),
'x509cert' => 'MIIC...',
),
'sp' => array (
'entityId' => 'https://xibo.mydomain.com.hk/xibo_test/saml/metadata',
'assertionConsumerService' => array (
'url' => 'https://xibo.mydomain.com.hk/xibo_test/saml/acs',
),
'singleLogoutService' => array (
'url' => 'https://xibo.mydomain.com.hk/xibo_test/saml/sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'x509cert' => 'MIIG...',
'privateKey' => 'MIIE...',
),
'security' => array (
'nameIdEncrypted' => false,
'authnRequestsSigned' => false,
'logoutRequestSigned' => true,
'logoutResponseSigned' => false,
'signMetadata' => false,
'wantMessagesSigned' => false,
'wantAssertionsSigned' => false,
'wantAssertionsEncrypted' => false,
'wantNameIdEncrypted' => false,
)
);
?>
LogoutRequest
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_80eaf227e7b041f1e85f0406dabaca2fb0c8d452"
Version="2.0"
IssueInstant="2021-07-20T02:11:54Z"
Destination="https://adfs.mydomain.com.hk/adfs/ls/">
<saml:Issuer>https://xibo.mydomain.com.hk/xibo_test/saml/metadata</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://adfs.mydomain.com.hk/adfs/services/trust</saml:NameID>
</samlp:LogoutRequest>
LogoutResponse
<samlp:LogoutResponse ID="_48624035-2d2c-44c3-b4d4-e7d7085301ca" Version="2.0" IssueInstant="2021-07-20T02:11:43.021Z" Destination="https://xibo.mydoamin.com.hk/xibo_test/saml/sls" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_80eaf227e7b041f1e85f0406dabaca2fb0c8d452" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.mydomain.com.hk/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
</samlp:Status>
</samlp:LogoutResponse>
I am wondering the status:Requster
is due to some missing fields in the LogoutRequest, as I saw there should be some other fields (eg. sessionIndex nameIdFormat) in some other LogoutRequest examples.
I noticed that there are some differences between xibo cms code and onelogin SAML demo code when calling the logout function. Arguments are not passed to the logout function in Xibo for constructing the LogoutRequest XML. Is this a correct usage of the logout function?
Thanks in advance.