Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing name id for valid SloLogoutrequest #668

Closed
manuel-tud opened this issue Sep 22, 2023 · 3 comments
Closed

Missing name id for valid SloLogoutrequest #668

manuel-tud opened this issue Sep 22, 2023 · 3 comments

Comments

@manuel-tud
Copy link

manuel-tud commented Sep 22, 2023
edited
Loading

We implemented the complete login and logout flow with a Shibboleth IdP. Now we are working on the last missing step, the IdP-initiated logout. Shibboleth sends a logout request, which is valid according to RubySAML. However, RubySAML does not provide a nameId, so it is unclear which user should be logged out.
The nameId is transmitted by the IdP in encrypted form. The keys needed for decryption are all passed along.

logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
      params[:SAMLRequest], settings: saml_settings
    )
if !logout_request.is_valid?
  return render :inline => logger.error
else
  pp logout_request
  # prints the logout a request containg the config with all necessary keys and the provided saml2p:LogoutRequest containg the name id encrypted in an <saml2:EncryptedID> element
end

logger.info "IdP initiated Logout for #{logout_request.name_id}"
# prints: "IdP initiated Logout for "

# Generate a response to the IdP.
logout_request_id = logout_request.id
logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(saml_settings, logout_request_id)
redirect_to logout_response
@pitbulk pitbulk mentioned this issue Sep 30, 2023
Merged
@pitbulk
Copy link
Collaborator

pitbulk commented Sep 30, 2023

You can extract the name_id using the method available in the response object , then you can store such value in the app session in order to be able to generate LogoutRequests sent to the IdP, including such NameId.

The toolkit sadly does not support currently to decrypt NameIds included in LogoutRequests and currently expects it clear, but the toolkit supported encrypted Nameids on SAMLResponse, so was not hard to add such support.

I have not tested it yet, can you give a try?
Override the slo_logoutrequest.rb file

@pitbulk
Copy link
Collaborator

pitbulk commented Sep 30, 2023
edited
Loading

@manuel-tud, I tested it and worked, I merged it to the main branch
#671

@pitbulk pitbulk closed this as completed Sep 30, 2023
@manuel-tud
Copy link
Author

manuel-tud commented Oct 2, 2023
edited
Loading

@pitbulk: Thank you so much, it works perfectly. :)

I've now added the git repo in our Gemfile. Would be great if could give the current state a version tag, so that we can switch back to a normal versioned entry in the file.

Thanks again for the very quick fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @manuel-tud