search

catalyst / moodle-auth_saml2

SAML done 100% in Moodle, fast, simple, secure
https://moodle.org/plugins/auth_saml2
72 stars 134 forks source link

Alternative Logout URL stoped working when we upgraded to 3.7 #342

Closed rklingaman closed 4 years ago

rklingaman commented 5 years ago

Once we upgraded to 3.7 the Alternative Logout URL is no longer working is just defaults back to the homepage of Mooodle. We had set this go back to our SAML IDP so that it would log them out of Moodle but not the IDP.

Now it just keeps them logged into Moodle.

gregjor commented 4 years ago

Same problem.

rklingaman commented 4 years ago

Just did some more upgrades on our moodle and this plugin but still having this issue. Is there any way to make it so that moodle actually logs out when you click log out?

brendanheywood commented 4 years ago

Can you confirm that the Attempt IdP Signout auth_saml2 | attemptsignout serting is set to yes?

e-med commented 4 years ago

@brendanheywood I can confirm that in our instance (3.7) that is set to "yes" and we are experiencing the issue as well.

e-med commented 4 years ago

@brendanheywood we would love to get some guidance how to address this. Not having any luck getting a response from anyone, including catalyst.

e-med commented 4 years ago

@rklingaman were you ever able to get this addressed?

brendanheywood commented 4 years ago

I have just tested this:

1) with an alternate logout url + attemptsignout = yes then I get sent to the alternate logout page as expected. 2) if the alternate logout page is set + attemptsignout = no, then I do not get sent to the alternate logout page. I'm still undecided around what the correct behavior should actually be here.

I think what has gone on over time is differences of opinion in what these should conceptually mean, ie some people thing that:

a) 'alternate logout' should mean a page you go to instead of the saml idp logout b) and others are more like 'a page you go to after you have done a saml logout

@e-med it sounds like you are in camp 1) and also b) ? In which case I can't reproduce it?

e-med commented 4 years ago

Thanks @brendanheywood Our issue is that after what appears to be a successful logout Moodle tries to auth again and finds a live SAML session and logs the user back in. See attached debug file. saml logout debug.txt

brendanheywood commented 4 years ago

SLO is now implemented, I have also fixed the alternate url to be honored even when SLO is not attempted