Closed manuel-tud closed 9 months ago
You can extract the name_id using the method available in the response object , then you can store such value in the app session in order to be able to generate LogoutRequests sent to the IdP, including such NameId.
The toolkit sadly does not support currently to decrypt NameIds included in LogoutRequests and currently expects it clear, but the toolkit supported encrypted Nameids on SAMLResponse, so was not hard to add such support.
I have not tested it yet, can you give a try? Override the slo_logoutrequest.rb file
@manuel-tud, I tested it and worked, I merged it to the main branch https://github.com/SAML-Toolkits/ruby-saml/pull/671
@pitbulk: Thank you so much, it works perfectly. :)
I've now added the git repo in our Gemfile. Would be great if could give the current state a version tag, so that we can switch back to a normal versioned entry in the file.
Thanks again for the very quick fix!
We implemented the complete login and logout flow with a Shibboleth IdP. Now we are working on the last missing step, the IdP-initiated logout. Shibboleth sends a logout request, which is valid according to RubySAML. However, RubySAML does not provide a nameId, so it is unclear which user should be logged out. The nameId is transmitted by the IdP in encrypted form. The keys needed for decryption are all passed along.