SAML Single Logout Not working

Get Help
1

Hi i use auth0 as idp provider. Saml login get success new user can be created and login each time we try.
Bu having issue on single logout we get " No active session(s) found matching LogoutRequest " error from auth0 side.
Auth0 says this happens only if SessionIndex and NameID doesnt match with IDP. so i opened debug mode and check the errors.

If someone can help for this issue i will be glad thx.

SAML SETTINGS

$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = array (
‘workflow’ => array(
// Enable/Disable Just-In-Time provisioning
‘jit’ => true,
// Attribute to identify the user
// if set to nameId then the NameID from SAML will be taken and used as the
// username in Xibo.
‘field_to_identify’ => ‘UserName’, // Alternatives: UserID, UserName, email
// Default libraryQuota assigned to the created user by JIT
//‘libraryQuota’ => 2048,
// Initial User Group
‘group’ => ‘Users’,
// Home Page
‘homePage’ => ‘statusdashboard’,
// Enable/Disable Single Logout
‘slo’ => true,
// Attribute mapping between Xibo-CMS and the IdP
‘mapping’ => array (
‘UserID’ => ‘’,
‘firstName’ => ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname’,
‘lastName’ => ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname’,
‘usertypeid’ => ‘’,
‘UserName’ => ‘http://schemas.auth0.com/username’,
‘email’ => ‘http://schemas.auth0.com/email’,
‘ref1’ => ‘’,
‘ref2’ => ‘’,
‘ref3’ => ‘’,
‘ref4’ => ‘’,
‘ref5’ => ‘’
)
),
// Configure the IdP and SP
‘strict’ => false,
‘debug’ => true,
‘idp’ => array (
‘entityId’ => ‘auth0 metadata’,
‘singleSignOnService’ => array (
‘url’ => ‘auth0 endpoint’,
‘binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
),
‘singleLogoutService’ => array (
‘url’ => ‘auth0 logout service’,
‘binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
),
‘x509cert’ => ‘certificate’,
),
‘sp’ => array (
‘entityId’ => ‘https://sub.domain.tld/saml/metadata’,
‘assertionConsumerService’ => array (
‘url’ => ‘https://sub.domain.tld/saml/acs’,
‘binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
),
‘singleLogoutService’ => array (
‘url’ => ‘https://sub.domain.tld/saml/sls’,
‘binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
),
‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’,
‘x509cert’ => ‘certificate’,
‘privateKey’ > ‘privatekey’,
),
‘security’ => array (
‘nameIdEncrypted’ => false,
‘authnRequestsSigned’ => false,
‘logoutRequestSigned’ => false,
‘logoutResponseSigned’ => false,
‘signMetadata’ => false,
‘wantMessagesSigned’ => false,
‘wantAssertionsSigned’ => true,
‘wantAssertionsEncrypted’ => false,
‘wantNameIdEncrypted’ => false,
)
);

*** I also tried slo with nameidformat emailAddress it also doesnt work. Change field to identy to all its possible everytime logedin but couldnt logedout.

created new user with saml and tried to logout.
debug result are below.

5812,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Loading 37. All Objects = 0”,DEBUG
5813,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5814,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5815,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“CMS font CSS returned from Cache.”,DEBUG
5816,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Route drawer not viewable”,DEBUG
5817,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Blocked assess to unrecognised page: /drawer.”,DEBUG
5818,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Showing the homepage: 29”,DEBUG
5819,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5820,aa8f295,“2018-11-16 20:10:03”,WEB,/,GET,“Request stats: {
"default": {
"select": 6
},
"log": {
"insert": 8
},
"length": 0.13289284706116,
"memoryUsage": 9830392,
"peakMemoryUsage": 9884064
}.”,INFO
5821,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Loading 37. All Objects = 0”,DEBUG
5822,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5823,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5824,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“CMS font CSS returned from Cache.”,DEBUG
5825,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route drawer not viewable”,DEBUG
5826,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Blocked assess to unrecognised page: /drawer.”,DEBUG
5827,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5828,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5829,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5830,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5831,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“UserOption hideNavigation not found”,DEBUG
5832,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route user not viewable”,DEBUG
5833,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route usergroup not viewable”,DEBUG
5834,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route admin not viewable”,DEBUG
5835,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route application not viewable”,DEBUG
5836,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route module not viewable”,DEBUG
5837,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route transition not viewable”,DEBUG
5838,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route log not viewable”,DEBUG
5839,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route sessions not viewable”,DEBUG
5840,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route auditlog not viewable”,DEBUG
5841,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route fault not viewable”,DEBUG
5842,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route help not viewable”,DEBUG
5843,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Route drawer not viewable”,DEBUG
5844,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“UserOption lockPosition not found”,DEBUG
5845,e4e18a6,“2018-11-16 20:10:03”,WEB,/dashboard/status,GET,“Request stats: {
"default": {
"select": 8
},
"log": {
"insert": 24
},
"length": 0.19639611244202,
"memoryUsage": 11137704,
"peakMemoryUsage": 11254608
}.”,INFO
5846,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Loading 37. All Objects = 0”,DEBUG
5847,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5848,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5849,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“CMS font CSS returned from Cache.”,DEBUG
5850,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Route drawer not viewable”,DEBUG
5851,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Blocked assess to unrecognised page: /drawer.”,DEBUG
5852,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5853,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“CMS font CSS returned from Cache.”,DEBUG
5854,0bc9b2e,“2018-11-16 20:10:04”,WEB,/library/fontcss,GET,“Request stats: {
"default": {
"select": 5
},
"log": {
"insert": 8
},
"length": 0.1169650554657,
"memoryUsage": 9834072,
"peakMemoryUsage": 9892232
}.”,INFO
5855,981d71b,“2018-11-16 20:10:04”,WEB,/user/pref,GET,“Loading 37. All Objects = 0”,DEBUG
5856,981d71b,“2018-11-16 20:10:04”,WEB,/user/pref,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5857,981d71b,“2018-11-16 20:10:04”,WEB,/user/pref,GET,“Route user not viewable”,DEBUG
5858,981d71b,“2018-11-16 20:10:04”,WEB,/user/pref,GET,“Blocked assess to unrecognised page: /user/pref.”,DEBUG
5859,981d71b,“2018-11-16 20:10:04”,WEB,/user/pref,GET,“Access Denied#0 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/SAMLAuthentication.php(387): Xibo\Entity\User->routeAuthentication(‘/user/pref’)
#1 [internal function]: Xibo\Middleware\SAMLAuthentication->Xibo\Middleware{closure}()
#2 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Slim.php(1208): call_user_func_array(Object(Closure), Array)
#3 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Slim.php(1354): Slim\Slim->applyHook(‘slim.before.dis…’)
#4 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Middleware/Flash.php(85): Slim\Slim->call()
#5 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call()
#6 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Actions.php(160): Slim\Middleware\MethodOverride->call()
#7 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Theme.php(36): Xibo\Middleware\Actions->call()
#8 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/SAMLAuthentication.php(413): Xibo\Middleware\Theme->call()
#9 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/CsrfGuard.php(63): Xibo\Middleware\SAMLAuthentication->call()
#10 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/State.php(122): Xibo\Middleware\CsrfGuard->call()
#11 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Storage.php(47): Xibo\Middleware\State->call()
#12 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Xmr.php(37): Xibo\Middleware\Storage->call()
#13 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Slim.php(1300): Xibo\Middleware\Xmr->call()
#14 /var/www/vhosts/domain.tld/sub.domain.tld/web/index.php(124): Slim\Slim->run()
#15 {main}”,DEBUG
5860,981d71b,“2018-11-16 20:10:04”,WEB,/user/pref,GET,“Request stats: {
"default": {
"select": 5
},
"log": {
"insert": 5
},
"length": 0.074276924133301,
"memoryUsage": 7712544,
"peakMemoryUsage": 7776856
}.”,INFO
5861,d9630dc,“2018-11-16 20:10:04”,WEB,/dashboard/status/displays,GET,“Loading 37. All Objects = 0”,DEBUG
5862,d9630dc,“2018-11-16 20:10:05”,WEB,/dashboard/status/displays,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5863,d9630dc,“2018-11-16 20:10:05”,WEB,/dashboard/status/displays,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5864,d9630dc,“2018-11-16 20:10:05”,WEB,/dashboard/status/displays,GET,“CMS font CSS returned from Cache.”,DEBUG
5865,d9630dc,“2018-11-16 20:10:05”,WEB,/dashboard/status/displays,GET,“sortOrder display”,DEBUG
5866,d9630dc,“2018-11-16 20:10:05”,WEB,/dashboard/status/displays,GET,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5867,d9630dc,“2018-11-16 20:10:05”,WEB,/dashboard/status/displays,GET,“Request stats: {
"default": {
"select": 7
},
"log": {
"insert": 6
},
"length": 0.11557793617249,
"memoryUsage": 9902448,
"peakMemoryUsage": 10006928
}.”,INFO
5868,a41776b,“2018-11-16 20:10:05”,WEB,/user/pref,POST,“Loading 37. All Objects = 0”,DEBUG
5869,a41776b,“2018-11-16 20:10:05”,WEB,/user/pref,POST,“Checking permissions against the logged in user: ID: 37, Name: testuser, UserType: 3”,DEBUG
5870,a41776b,“2018-11-16 20:10:05”,WEB,/user/pref,POST,“Route user not viewable”,DEBUG
5871,a41776b,“2018-11-16 20:10:05”,WEB,/user/pref,POST,“Blocked assess to unrecognised page: /user/pref.”,DEBUG
5872,a41776b,“2018-11-16 20:10:05”,WEB,/user/pref,POST,“Access Denied#0 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/SAMLAuthentication.php(387): Xibo\Entity\User->routeAuthentication(‘/user/pref’)
#1 [internal function]: Xibo\Middleware\SAMLAuthentication->Xibo\Middleware{closure}()
#2 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Slim.php(1208): call_user_func_array(Object(Closure), Array)
#3 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Slim.php(1354): Slim\Slim->applyHook(‘slim.before.dis…’)
#4 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Middleware/Flash.php(85): Slim\Slim->call()
#5 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call()
#6 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Actions.php(160): Slim\Middleware\MethodOverride->call()
#7 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Theme.php(36): Xibo\Middleware\Actions->call()
#8 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/SAMLAuthentication.php(413): Xibo\Middleware\Theme->call()
#9 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/CsrfGuard.php(63): Xibo\Middleware\SAMLAuthentication->call()
#10 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/State.php(122): Xibo\Middleware\CsrfGuard->call()
#11 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Storage.php(47): Xibo\Middleware\State->call()
#12 /var/www/vhosts/domain.tld/sub.domain.tld/lib/Middleware/Xmr.php(37): Xibo\Middleware\Storage->call()
#13 /var/www/vhosts/domain.tld/sub.domain.tld/vendor/slim/slim/Slim/Slim.php(1300): Xibo\Middleware\Xmr->call()
#14 /var/www/vhosts/domain.tld/sub.domain.tld/web/index.php(124): Slim\Slim->run()
#15 {main}”,DEBUG
5873,a41776b,“2018-11-16 20:10:05”,WEB,/user/pref,POST,“Request stats: {
"default": {
"select": 5
},
"log": {
"insert": 5
},
"length": 0.074083089828491,
"memoryUsage": 7691936,
"peakMemoryUsage": 7758480
}.”,INFO
5874,43e5e15,“2018-11-16 20:10:11”,WEB,/saml/logout,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5875,43e5e15,“2018-11-16 20:10:11”,WEB,/saml/logout,GET,“CMS font CSS returned from Cache.”,DEBUG
5876,43e5e15,“2018-11-16 20:10:11”,WEB,/saml/logout,GET,“Checking permissions against the logged in user: ID: 0, Name: , UserType: 0”,DEBUG
5877,43e5e15,“2018-11-16 20:10:11”,WEB,/saml/logout,GET,“Route drawer not viewable”,DEBUG
5878,43e5e15,“2018-11-16 20:10:11”,WEB,/saml/logout,GET,“Blocked assess to unrecognised page: /drawer.”,DEBUG
5879,e55aef2,“2018-11-16 20:10:23”,WEB,/fault/collect,GET,“Loading 1. All Objects = 0”,DEBUG
5880,e55aef2,“2018-11-16 20:10:23”,WEB,/fault/collect,GET,“Install Fonts called with options: {"invalidateCache":false}”,DEBUG
5881,e55aef2,“2018-11-16 20:10:23”,WEB,/fault/collect,GET,“CMS font CSS returned from Cache.”,DEBUG

2

auth0 are probably best placed to help you with that as it’s their IdP that is rejecting the request to log out.

We know SLO works as we have it working with other customers. We use the OneLogin SAML library for PHP (which most PHP applications which implement SAML use), so they should be familiar with how to correctly configure that for their platform.

3

Thank you Alex. We talked with auth0 and they decompiled the request which xibo creates when single logout request created. Issiue is IDP waiting response about email of the user cause we have choosed to use emailAddress as NameID but xibo sents completly different NameID right know. Can you give me a suggestion how can i change it on saml settings or in SamlAuthentication.php

Theese are not matching. If it match single lougout will work. In settings.php there is already ‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’, i do not undertstand why xibo sends nameid in different format when single logout request created.

4

I think you’d need to set field_to_identify to be email if you want Xibo to deal with email addresses as the user identifier?

5

Hi alex i tried that and that does not change anything on Saml Logout Request. After decompile the request i ve got same type of format and NameID…

There must be something else which can let me change the logout request format. Its strange that when we set Nameid format as 1.1. emailAddress as global, logout must be as same as login process but its;

Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity

Any different suggestion?

**** i changed in vendor/onelogin/…/LogoutRequest.php

if (!empty($nameId)) {
            if (empty($nameIdFormat)
                && $spData['NameIDFormat'] != Constants::NAMEID_UNSPECIFIED) {
                $nameIdFormat = $spData['NameIDFormat'];
            }
            $spNameQualifier = null;
        } else {
            $nameId = $idpData['entityId'];
            $nameIdFormat = Constants::NAMEID_EMAIL_ADDRESS;
            $spNameQualifier = $spData['entityId'];
        }

format changed succesfully but still on saml request NameID something like this,

<saml:NameID SPNameQualifier=“https://domain.com/saml/metadata” Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>https://domain.com/samlp/metadata/m0zYvvPDNYigOR1MwJgxHooVZ3A4BCru&lt;/saml:NameID&gt;

Still can not logout. Maybe its becuase i can’t get SessionIndex on Logout Request … its not visible.

in same file SessionIndex created like this;

$sessionIndexStr = isset($sessionIndex) ? "<samlp:SessionIndex>{$sessionIndex}</samlp:SessionIndex>" : "";

On Auth0 Saml SessionIndex provided like this;

<saml:AuthnStatement AuthnInstant=“2018-11-22T23:28:27.722Z” SessionIndex=“_ZyUXRLymkMc0mg3ooXVngvZQsaGb0d67”>