dwashko
commented
3 years ago I found this: https://github.com/onelogin/php-saml/pull/348 with the exact change we had to make to support Okta. From the responses this indicates that php-saml and I suspect this plugin too will not support POST for SLO even though it is an acceptable binding according to the SAML v2.0 documentation: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf (see section 3.5 page 21). If I am reading this correctly: http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf (page 9) SAML 2.0 conformance requires HTTP-Redirect binding for SP initiated SLO. I guess that must mean Okta is not SAML V2.0 compliant at least for SLO? Since we will not see HTTP Post for SLO implemented here and it does not appear that Okta is going to HTTP Redirect Binding, (see: https://support.okta.com/help/s/question/0D50Z00008G7VGW/saml-httpredirect-instead-of-httppost-at-single-logout?language=en_US - dated Sept 5, 2018), we are at an impasse.
pitbulk
It appears that Okta is incapable of sending an HTTP-Redirect binding instead of a POST for Single Log Out. Looking at where the code fails: https://github.com/onelogin/wordpress-saml/blob/master/onelogin-saml-sso/php/lib/Saml2/Auth.php#L281To#L345. We have found pervious posts on the web indicating that this will never change to support anything other than an HTTP-Redirect (e.g.; https://github.com/onelogin/wordpress-saml/issues/18). I humbly ask this: What is wrong with adding another conditional to support HTTP Post like so:
if (isset($_POST['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_POST['SAMLResponse']);Replacing this:
if (isset($_GET['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']);Replacing the latter with the former seems to solve our Okta SLO problem. I am wondering if there is some issue we might be missing as to why it may be unacceptable to do this?