Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SP invoked logout does not revoke session for IdP #711

Open
smoebody opened this issue Apr 3, 2023 · 1 comment
Open

SP invoked logout does not revoke session for IdP #711

smoebody opened this issue Apr 3, 2023 · 1 comment

Comments

@smoebody
Copy link

smoebody commented Apr 3, 2023
edited
Loading

Steps to reproduce

  1. Login via SAML
  2. Logout with Nextcloud Logout-Button

Expected behaviour

The IdP should revoke the session for the SP and ask for credentials again.

Actual behaviour

The IdP remembers the SP session and is seamlessly logging in the user again.

Server configuration

Operating system: Debian Linux

Web server: Nginx

Database: PostgreSQL

PHP version: 8.0.28

Nextcloud version: 25.0.4 Enterprise

Where did you install Nextcloud from: Nextcloud Portal

List of activated apps:

  - activity: 2.17.0
  - appointments: 1.14.11
  - calendar: 4.2.4
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.1.0
  - contactsinteraction: 1.6.0
  - dav: 1.24.0
  - deck: 1.8.3
  - drawio: 2.1.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_mindmap: 0.0.27
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - forms: 3.2.0
  - groupfolders: 13.1.1
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - onlyoffice: 7.6.8
  - password_policy: 1.15.0
  - photos: 2.0.1
  - polls: 4.1.8
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.4
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - user_ldap: 1.15.0
  - user_saml: 5.1.2
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0```

Nextcloud configuration:

{
    "system": {
        "installed": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "version": "25.0.4.2",
        "forwarded_for_headers": [
            "X-Forwarded-For"
        ],
        "trusted_domains": [
            "cloud.hmt-leipzig.de"
        ],
        "default_phone_region": "DE",
        "allow_local_remote_servers": true,
        "overwrite.cli.url": "https:\/\/cloud.hmt-leipzig.de",
        "overwritehost": "cloud.hmt-leipzig.de",
        "overwriteprotocol": "https",
        "dbtype": "pgsql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": false
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "appstoreenabled": false,
        "integrity.check.disabled": true,
        "check_for_working_htaccess": false,
        "log_level": 2
    }
}

SAML configuration

- 1:
    - general-uid_mapping: urn:oid:0.9.2342.19200300.100.1.1
    - general-idp0_display_name: Login
    - idp-entityId: <redacted>
    - idp-singleSignOnService.url: <redacted>
    - sp-x509cert: <redacted>
    - sp-privateKey: <redacted>
    - idp-singleLogoutService.url: <redacted>
    - idp-x509cert: <redacted>
    - saml-attribute-mapping-displayName_mapping: urn:oid:2.16.840.1.113730.3.1.241
    - saml-attribute-mapping-email_mapping: urn:oid:0.9.2342.19200300.100.1.3
    - security-nameIdEncrypted: 1
    - security-authnRequestsSigned: 1
    - security-logoutRequestSigned: 1
    - security-signMetadata: 1
    - security-wantAssertionsSigned: 1
    - security-wantMessagesSigned: 1
    - security-wantAssertionsEncrypted: 1
    - security-wantNameId: 1
    - security-wantXMLValidation: 1
    - idp-singleLogoutService.responseUrl: 
    - security-logoutResponseSigned: 1
    - security-wantNameIdEncrypted: 0
    - sp-name-id-format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Client configuration

Browser: Chromium / Firefox / Chrome

Operating system: Fedora Linux

Logs

here is the shibboleth-log, which is the only messages i receive upon logout

ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:709] - Error decrypting encrypted key: Unwrapping failed
ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:646] - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:538] - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
ERROR [org.opensaml.saml.saml2.encryption.Decrypter:183] - SAML Decrypter encountered an error decrypting element content: Failed to decrypt EncryptedData
WARN [org.opensaml.saml.saml2.profile.impl.DecryptNameIDs:99] - Profile Action DecryptNameIDs: Failure performing decryption
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
        at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:541)
WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: DecryptNameIDFailed
@solracsf
Copy link
Member

solracsf commented Jun 2, 2023

@smoebody since you hold an Enterprise licence, did you contact Nextcloud support directly beside this ticket?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smoebody @solracsf