search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 73 forks source link

Idp initiated sign out problem. #25

Closed wintercomic closed 8 years ago

wintercomic commented 8 years ago

Hello,

I use wordpress-saml to connect WordPress with ADFS 3.0. I can get SSO and SP-initiated logout work (logout in WordPress). But fail in IDP-initiated Logout.

SLO and Retrieve Parameters From Server option is enabled in configuration.

Base on the suggestion in https://github.com/onelogin/php-saml/issues/136. I modify the code and get ride of ADFS certificate error. But I encounter other errors.

pitbulk commented 8 years ago

I use wordpress-saml to connect WordPress with ADFS 3.0. I can get SSO and SP-initiated logout work (logout in WordPress). But fail in IDP-initiated Logout

Yes, I plan to fix php-saml toolkit soon, release a new version and then populate this new version on all the projects that have php-saml as depedency. It will take time since I will need to add a new configuration on the setting panel in order to enable or not the urlencode ADFS stuff.

When User logout in ADFS, User can't logout in WordPress. I refresh the page or go to other page, user is still login WordPress.

Is ADFS not sending a LogoutRequest to Wordpress?

After User logout in ADFS, when User click logout button in WordPress, the error message "SLS endpoint found an error" is shown in https://xxxxxx.xxxx.xxx/wp-login.php?saml_sls&SAMLResponse=xxxxxxxxxxx. I go to WordPress again, and user is still logged in.

Is nothing more attached to the "SLS endpoint found an error" ? It should be the reason of the error Also review the SAMLResponse, maybe the reason is inside.

wintercomic commented 8 years ago

I confirm ADFS has sent request to SP. It seems WordPress can't process wp_logout() in IDP-initiated Logout.

pitbulk commented 8 years ago

Can you record and share the LogoutRequest and enable the debug mode (saml advanced settings) in order to figure out the error?

wintercomic commented 8 years ago

When I click the logout button in ADFS, WordPress received request:

https://Wordpresss/wp-login.php?saml_sls&SAMLRequest=xxxxxxxxxxxxxxx&Signature=xxxxxxxxxxx&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1 
<samlp:LogoutRequest ID="_f76f228f-59a1-49cb-b2a5-0d3bec1c53b1" Version="2.0" IssueInstant="2016-07-29T08:42:34.322Z" Destination="https://Wordpresss/wp-login.php?saml_sls" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" NotOnOrAfter="2016-07-29T08:47:34.322Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxxxxx/adfs/services/trust</Issuer><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">HKj+d6oymubqosWRAI8kfHbHEUyc16XfN+CuZxmxaCY=</NameID><samlp:SessionIndex>_6ccca2dc-3b88-4480-ad05-7d88e30f00f7</samlp:SessionIndex></samlp:LogoutRequest>

ADFS receive response:

https://xxxxxxxxxxx/adfs/ls/?SAMLResponse=xxxxxxxxxxxx&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=xxxxxxxxxxxxxxxxxxxxxxx
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                  ID="ONELOGIN_116368af27df3965c6b3a2073525f56efca509cd"
                  Version="2.0"
                  IssueInstant="2016-07-29T08:42:35Z"
                  Destination="https://xxxxxxxxxxx/adfs/ls/"
                  InResponseTo="_f76f228f-59a1-49cb-b2a5-0d3bec1c53b1"
                  >
    <saml:Issuer>http://WordPress/sp</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>

I click refresh button in WordPress Page, I am still logged in. Then I click Logout button in WordPress, ADFS receive the following request:

https://xxxxxxxxxxx/adfs/ls/?SAMLRequest=xxxxxxxxxx&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=xxxxxxxxxxx
<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_f8ac80d1746bde62ee37a6598b583df9415680fc"
    Version="2.0"
    IssueInstant="2016-07-29T08:55:24Z"
    Destination="https://xxxxxxxxxxx/adfs/ls/">
    <saml:Issuer>http://WordPress/sp</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">HKj+d6oymubqosWRAI8kfHbHEUyc16XfN+CuZxmxaCY=</saml:NameID>
    <samlp:SessionIndex>_6ccca2dc-3b88-4480-ad05-7d88e30f00f7</samlp:SessionIndex>
</samlp:LogoutRequest>

WordPress receive the follow response:

 https://Wordpresss/wp-login.php?saml_sls&SAMLResponse=xxxxxxxxxxxxxxxxxx&RelayState=http%3a%2f%2xxxxxxxxxxx&Signature=xxxxxxxxxxxxxx&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1
<samlp:LogoutResponse ID="_82eaf520-45f0-43b1-91f8-ed67bb81366b" Version="2.0" IssueInstant="2016-07-29T08:55:24.197Z" Destination="https://Wordpresss/wp-login.php?saml_sls" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_f8ac80d1746bde62ee37a6598b583df9415680fc" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxxxxx/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /></samlp:Status></samlp:LogoutResponse>

then "SLS endpoint found an error" message is displayed.

pitbulk commented 8 years ago

When you click logout at ADFS, the SAMLRequest is processed by the saml_sls method.

Since ADFS get a reply back with a SAMLResponse, it seems that the SAMLRequest was succesfully processed: (processSLO executed, SAMLRequest validated, tried to remove the wordpress session and a SAMLResponse sent.

How are you storing the Wordpress sessions? Maybe the problem is with the OneLogin_Saml2_Utils::deleteLocalSession(); and the wordpress sessin keep life.

When you refresh on wordpress, since it seems there is a problem when deleting the wordpress session, you see the user still logged in at wordpress, but if you click on log out, a SAMLRequest is sent to ADFS, and since there is no active session at ADFS, ADFS replies a SAMLResponse where says that there is a problem (was not able to log out) so it replies a SAMLResponse that contains a Status element with "Requester" values, instead of the "Success" value.

In order to fix the issue, lets provide to the processSLO method a callback to delete the session using the wp_logout method.

Here is the description of the processSLO method:

public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay=false)

So instead of use at Line 294

$auth->processSLO(false, null, $retrieve_parameters_from_server);

let's use 

$auth->processSLO(false, null, $retrieve_parameters_from_server, 'wp_logout');
wintercomic commented 8 years ago

Thank you for your reply.

Now the WordPress can be logged out if I refresh the page or go to other page. If I click the logout button in WordPress, I still get "SLS endpoint found an error" message.

pitbulk commented 8 years ago

The IdP-SLO flow should work after apply the patch I mentioned.

Is the SP-SLO flow not working? Open a new browser with clean sessions, log in and then click on the Wordpress logout button. It should send a LogoutRequest to ADFS and it should send a LogoutResponse. Check for the StatusCode element of this LogoutResponse and let me know if you experience the SLS endpoint found an error.

wintercomic commented 8 years ago

Both Idp-SLO and Sp-SLO work after apply the patch.

I think it is a minor bug. If I log out in ADFS and refresh in WordPress, I am logged out in WordPress. The problem is that if user immediately click the logout button in WordPress after IDP-SLO is processed. It will still send the request to ADFS and then get "SLS endpoint found an error" message.

ninoskuflic commented 3 years ago

Hi, did you manage to solve this issue? If yes, could you please share how? :)

Thanks!