search

SAML-Toolkits / ruby-saml

SAML SSO for Ruby
https://developers.onelogin.com/v1.0/page/saml-toolkit-for-ruby-on-rails
MIT License
898 stars 561 forks source link

Missing name id for valid SloLogoutrequest #668

Closed manuel-tud closed 9 months ago

manuel-tud commented 9 months ago

We implemented the complete login and logout flow with a Shibboleth IdP. Now we are working on the last missing step, the IdP-initiated logout. Shibboleth sends a logout request, which is valid according to RubySAML. However, RubySAML does not provide a nameId, so it is unclear which user should be logged out. The nameId is transmitted by the IdP in encrypted form. The keys needed for decryption are all passed along. 

logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
      params[:SAMLRequest], settings: saml_settings
    )
if !logout_request.is_valid?
  return render :inline => logger.error
else
  pp logout_request
  # prints the logout a request containg the config with all necessary keys and the provided saml2p:LogoutRequest containg the name id encrypted in an <saml2:EncryptedID> element
end

logger.info "IdP initiated Logout for #{logout_request.name_id}"
# prints: "IdP initiated Logout for "

# Generate a response to the IdP.
logout_request_id = logout_request.id
logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(saml_settings, logout_request_id)
redirect_to logout_response
pitbulk commented 9 months ago

You can extract the name_id using the method available in the response object , then you can store such value in the app session in order to be able to generate LogoutRequests sent to the IdP, including such NameId.

The toolkit sadly does not support currently to decrypt NameIds included in LogoutRequests and currently expects it clear, but the toolkit supported encrypted Nameids on SAMLResponse, so was not hard to add such support.

I have not tested it yet, can you give a try? Override the slo_logoutrequest.rb file

pitbulk commented 9 months ago

@manuel-tud, I tested it and worked, I merged it to the main branch https://github.com/SAML-Toolkits/ruby-saml/pull/671

manuel-tud commented 9 months ago

@pitbulk: Thank you so much, it works perfectly. :)

I've now added the git repo in our Gemfile. Would be great if could give the current state a version tag, so that we can switch back to a normal versioned entry in the file.

Thanks again for the very quick fix!