Closed linscombe closed 4 years ago
@pierre-lehnen-rc is this the same issue as in https://github.com/RocketChat/Rocket.Chat/issues/17919 ?
Not the same. This one was fixed on the 3.4 version, so I'll be closing this issue.
Following up... confirmed v3.4 fixes this issue. It’s extra helpful to be able to see and change the xml of the response in admin settings... although in my case I was able to use the defaults again. Thanks @pierre-lehnen-rc for the fix!
@linscombe Do you use ADFS?
@linscombe Do you use ADFS?
@Guile17 no haven’t used ADFS sorry
Description:
SAML logout response is invalid when logout action is started from the IDP. The
<saml2p:StatusCode>
element should always be placed inside of a<saml2p:Status>
element but this is not happening for the response following the SLO request from an IDP.The LogoutResponse from Rocket.Chat is not according to the SAML2 specifications which makes it impossible for the IDP to find the StatusCode element in the response. According to the spec, the StatusCode element needs to be within the status element. SAML core spec 3.7.2: LogoutResponse of type StatusResponseType. 3.2.2 StatusResponseType
<Status>
[Required] 3.2.2.1, Status<StatusCode>
[Required]This would be correct:
NOTE: The logout response IS valid when clicking Logout directly within Rocket.Chat... it is not valid when the logout request comes from the IDP. The two logout responses are different based on the origin of the logout.
Steps to reproduce:
Expected behavior:
Format of Logout Response on step 7 should look like this:
Actual behavior:
IDP receives invalid SAML Logout Resonse and cannot logout user completely.
Server Setup Information:
Client Setup Information
Same issues on other operating systems / browsers
Additional context
I first saw this problem after the fix for #17439 which I reported in April. While they are both related to SAML logout, I am not certain they are related and can't confirm if the response was different before.
I wish I knew the codebase better to submit a PR instead but thank you in advance if anyone is able to find a fix for this!
Relevant logs:
No relevant logs in addition to the 2 LogoutResponses noted above