search

boxyhq / jackson

🔥 Streamline your web application's authentication with Jackson, an SSO service supporting SAML and OpenID Connect protocols. Beyond enterprise-grade Single Sign-On, it also supports Directory Sync via the SCIM 2.0 protocol for automatic user and group provisioning/de-provisioning. 🤩
https://boxyhq.com/docs/jackson/overview
Apache License 2.0
1.78k stars 152 forks source link

mocksaml metadata doesn't have a SLO URL #2113

Open dnoliver opened 8 months ago

dnoliver commented 8 months ago

Found a bug? Please fill out the sections below. 👍

Issue Summary

A summary of the issue. This needs to be a clear detailed-rich summary.

Not sure if this is a bug! I am trying to use https://mocksaml.com as a mock for my idp for single sign on and single log out. I am using the metadata url to configure my saml library https://github.com/SAML-Toolkits/python3-saml So because the https://mocksaml.com metadata file doesn't have an SLO item, my lib tells me that SLO is not supported by the idp (which make sense). But I also found some PRs and issues resolved related to slo (https://github.com/boxyhq/jackson/pull/128, and https://github.com/boxyhq/saml20/issues/14), so wanted to check if this is something that should be supported but its just missed from the public metadata file.

Steps to Reproduce

Well, for me, this is how I implemented SLO with the library I referenced. The last line of the snippet throws: onelogin.saml2.errors.OneLogin_Saml2_Error: The IdP does not support Single Log Out

    from onelogin.saml2.auth import OneLogin_Saml2_Auth
    from onelogin.saml2.idp_metadata_parser import OneLogin_Saml2_IdPMetadataParser

    def logout(self, request):
        """Initialize SAML logout"""
        req = self.__prepare_tornado_request(request)
        idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
            self.saml_idp_metadata, timeout=5
        )
        self.saml_settings["idp"] = idp_data["idp"]
        auth = OneLogin_Saml2_Auth(req, self.saml_settings)
        return auth.logout(name_id=None, session_index=None)

But also, a simple way to show this problem is just to go to https://mocksaml.com/api/saml/metadata, and check for the following missing properties:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<URL>"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<URL>"/>

Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?

I consider this a bug because I couldn't find docs saying if mocksaml supports slo or not, but I could find prs and issues referencing the support for slo. Maybe a "this service doesn't support slo" would be nice if that is the expectation

Technical details

Thanks for doing this! It has been super helpful to develop and test SAML integration so far!

deepakprabhakara commented 8 months ago

Thanks for reporting this, adding SLO to Mock SAML makes a lot of sense.

bool-dev commented 7 months ago

Hi Folks, would love some info on this, can't see the SLO URL setting anywhere yet in the latest version.

deepakprabhakara commented 7 months ago

@bool-dev We haven't had the bandwidth to add this to https://github.com/boxyhq/mock-saml, we do invite PRs to add this :)