Closed jwalits closed 10 months ago
We "fixed" this issue by setting "Expose Nameid as attribute" setting to "No" and exposing the email address as a regular field value in the saml response from the IdP side.
Probably no need for any further code changes at this stage.
Facing an issue when using the Oracle Identity Manager as the IdP. The user cannot log out of Moodle.
When debugging, we have come across the following response: Provider not part of the Affiliation
After some more testing/debugging in Moodle, we found that when sending the Logout request to the IdP, the SPNameQualifier and NameQualifier attributes are sent with the request. When we hacked the values deep in the SimpleSAML library to not send those attributes. This proved successful in logging the user out correctly.
Example logout request captured:
Unsuccessful
Successful request
Hoping to make this a setting in the SAML app, to expose setting/unsetting these attributes so the user can successfully logout.
Using the docs: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote.html - tried setting multiple config settings in https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/config/config.php or https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/config/authsources.php without any luck.
For testing, I had to edit the following lib files directly (might have been one more) https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php#L601 https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/modules/saml/lib/IdP/SAML2.php#L1270 https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/modules/core/lib/Auth/Process/TargetedID.php#L151