Closed mateuszmandera closed 1 year ago
At the delete_session_cb you can do whatever you want, and your callback can include args.
Another alternative is to call process_slo with keep_local_session=True, and then do whatever you need after the process_slo call
Another alternative is to call process_slo with keep_local_session=True, and then do whatever you need after the process_slo call
Yeah, that's the approach I've taken. However, I meant to suggest that perhaps NameID
should be involved here more natively, by being passed to the callback for the sake of correctness. Yes, the code calling this can extract the NameID
by using the OneLogin2_Logout_Request
class and then use it when defining the callback, but that's kind of a workaround - when validating the NameID
looks like it should be the default approach?
I think I'm running into this issue. ADFS requires the SAML logout request to include a NameID. https://www.componentspace.com/Forums/9755/ADFS-IDP-initiated-SLO-not-working-properly?Keywords=ADFS%20Authentication%20Policies
As far as I understand, a
LogoutRequest
does not need to delivered to the Service Provider in a way that carries a session cookie for the user that's supposed to be logged out. In other words, the IdP could deliver aLogoutRequest
for the logout of user A e.g. in a back-channel way, so that the target user cannot be figured out by looking at the session cookie, and thus theNameID
needs to be used to determine who to log out.Also, a
LogoutRequest
that doesn't specifySessionIndex
means that ALL sessions for the user should be terminated:https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
For which again, the
NameID
likely has to be inspected.process_slo
is structured in a way that ignores the NameID:Should this perhaps be addressed by e.g. passing the NameID as an argument to
delete_session_cb
?