SAML Single Logout is not working properly due to incomplete LogoutRequest XML

dennis0126 · July 20, 2021, 2:38am

CMS Version

3.0.0

Issue

I am now trying to use single sign-on and single logout via ADFS in my Xibo cms.
I have successfully connect Xibo cms and ADFS for the SSO part.
However, for SLO, the ADFS did not provide a logout response with status:Success, but a status:Requester instead.

settings-custom.php

<?php

# If you need to add custom configuration settings to the CMS settings.php file,
# this is the place to do it.

# For example, if you want to configure SAML authentication, you can add the
# required configuration here

$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = array (
   'workflow' => array(
        // Enable/Disable Just-In-Time provisioning
        'jit' => true,
        // Attribute to identify the user
        'field_to_identify' => 'UserName',   // Alternatives: UserID, UserName or email
        // Default libraryQuota assigned to the created user by JIT
        'libraryQuota' => 1000,
        // Initial User Group
        'group' => 'Users',
        // Home Page
        'homePage' => 'icondashboard.view',
        // Enable/Disable Single Logout
        'slo' => true,
        // Attribute mapping between XIBO-CMS and the IdP
        'mapping' => array (
#            'UserID' => '3',
#            'usertypeid' => '3',
            'UserName' => 'uid',
            'email' => 'mail',
        )
    ),
   // Settings for the PHP-SAML toolkit.
   // See documentation: https://github.com/onelogin/php-saml#settings
   'strict' => false,
   'debug' => true,
   'idp' => array (
            'entityId' => 'http://adfs.mydomain.com.hk/adfs/services/trust',
            'singleSignOnService' => array (
                'url' => 'https://adfs.mydomain.com.hk/adfs/ls/',
            ),
            'singleLogoutService' => array (
                'url' => 'https://adfs.mydomain.com.hk/adfs/ls/',
            ),
            'x509cert' => 'MIIC...',
        ),
   'sp' => array (
        'entityId' => 'https://xibo.mydomain.com.hk/xibo_test/saml/metadata',
        'assertionConsumerService' => array (
            'url' => 'https://xibo.mydomain.com.hk/xibo_test/saml/acs',
        ),
        'singleLogoutService' => array (
            'url' => 'https://xibo.mydomain.com.hk/xibo_test/saml/sls',
        ),
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'x509cert' => 'MIIG...',
        'privateKey' => 'MIIE...',
    ),
    'security' => array (
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => true,
        'logoutResponseSigned' => false,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantAssertionsEncrypted' => false,
        'wantNameIdEncrypted' => false,
   )
);

?>

LogoutRequest

<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_80eaf227e7b041f1e85f0406dabaca2fb0c8d452"
    Version="2.0"
    IssueInstant="2021-07-20T02:11:54Z"
    Destination="https://adfs.mydomain.com.hk/adfs/ls/">
    <saml:Issuer>https://xibo.mydomain.com.hk/xibo_test/saml/metadata</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://adfs.mydomain.com.hk/adfs/services/trust</saml:NameID>
</samlp:LogoutRequest>

LogoutResponse

<samlp:LogoutResponse ID="_48624035-2d2c-44c3-b4d4-e7d7085301ca" Version="2.0" IssueInstant="2021-07-20T02:11:43.021Z" Destination="https://xibo.mydoamin.com.hk/xibo_test/saml/sls" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_80eaf227e7b041f1e85f0406dabaca2fb0c8d452" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.mydomain.com.hk/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
    </samlp:Status>
</samlp:LogoutResponse>

I am wondering the status:Requster is due to some missing fields in the LogoutRequest, as I saw there should be some other fields (eg. sessionIndex nameIdFormat) in some other LogoutRequest examples.
I noticed that there are some differences between xibo cms code and onelogin SAML demo code when calling the logout function. Arguments are not passed to the logout function in Xibo for constructing the LogoutRequest XML. Is this a correct usage of the logout function?
Thanks in advance.

xibo-cms-3.0.0/lib/MIddleware/SAMLAuthentication.php

github.com

xibosignage/xibo-cms/blob/23f75823e1d8c418bcb0a223f6596400c5a2f4f1/lib/Middleware/SAMLAuthentication.php#L322

    
      
          public function samlLogout(Request $request, Response $response)
          {
              $samlSettings = $this->getConfig()->samlSettings;
          
          
    if (isset($samlSettings['workflow'])
                  && isset($samlSettings['workflow']['slo'])
                  && $samlSettings['workflow']['slo'] == true
              ) {
                  // Initiate SAML SLO
                  $auth = new Auth($samlSettings);
                  return $response->withRedirect($auth->logout());
              } else {
                  return $response->withRedirect($this->getRouteParser()->urlFor('logout'));
              }
          }
          
          
/**
           * @param Request $request
           * @return Response
           * @throws \OneLogin\Saml2\Error
           */

onelogin/php-saml/demo1/index.php

github.com

onelogin/php-saml/blob/master/demo1/index.php#L53

    
      
              if (isset($_SESSION['samlNameIdNameQualifier'])) {
                  $samlNameIdNameQualifier = $_SESSION['samlNameIdNameQualifier'];
              }
              if (isset($_SESSION['samlNameIdSPNameQualifier'])) {
                  $samlNameIdSPNameQualifier = $_SESSION['samlNameIdSPNameQualifier'];
              }
              if (isset($_SESSION['samlSessionIndex'])) {
                  $sessionIndex = $_SESSION['samlSessionIndex'];
              }
          
          
    $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, false, $nameIdFormat, $samlNameIdNameQualifier, $samlNameIdSPNameQualifier);
          
          
    # If LogoutRequest ID need to be saved in order to later validate it, do instead
              # $sloBuiltUrl = $auth->logout(null, $paramters, $nameId, $sessionIndex, true);
              # $_SESSION['LogoutRequestID'] = $auth->getLastRequestID();
              # header('Pragma: no-cache');
              # header('Cache-Control: no-cache, must-revalidate');
              # header('Location: ' . $sloBuiltUrl);
              # exit();
          
          
} else if (isset($_GET['acs'])) {

dan · July 20, 2021, 2:26pm

Hi and welcome.

To be honest with you, we’re not sure! Our SAML auth middleware was written originally by the one of the team at onelogin, and we’ve pretty much stuck with their initial implementation since then. It could be that the spec/library have advanced since then.

I’ve got SLO working fine here as-is though, so maybe there are some environment specific option coming into play.

As you have an environment to reproduce the issue, are you able to make the modifications and try it out?

Thanks,
Dan

system · October 19, 2021, 8:27pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.