search

catalyst / moodle-auth_saml2

SAML done 100% in Moodle, fast, simple, secure
https://moodle.org/plugins/auth_saml2
70 stars 132 forks source link

Expose SPNameQualifier setting to the SAML settings #769

Closed jwalits closed 10 months ago

jwalits commented 10 months ago

Facing an issue when using the Oracle Identity Manager as the IdP. The user cannot log out of Moodle.

When debugging, we have come across the following response: Provider not part of the Affiliation

After some more testing/debugging in Moodle, we found that when sending the Logout request to the IdP, the SPNameQualifier and NameQualifier attributes are sent with the request. When we hacked the values deep in the SimpleSAML library to not send those attributes. This proved successful in logging the user out correctly.

Example logout request captured:

Unsuccessful

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                   ID="_40bf2ce71cf77b761ce21ce025e51edc4eb6f6f29a"
                   Version="2.0"
                   IssueInstant="2023-08-22T04:05:01Z"
                   Destination="https://IdPdomain" >
   <saml:Issuer>https://moodledomain/auth/saml2/sp/metadata.php</saml:Issuer>
   <saml:NameID NameQualifier="https://moodledomain/auth/saml2/sp/metadata.php"
             SPNameQualifier="https://IdPdomain"
             Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" >validuser@email.com</saml:NameID>
   <samlp:SessionIndex>id-PIa8uv0MUJARF4baBPex90LLc2TOP3nQi9k7sHNH</samlp:SessionIndex>
</samlp:LogoutRequest>

Successful request

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="_3172ae146a9c222241a190b343f69851edd867c2d5"
                     Version="2.0"
                     IssueInstant="2023-08-30T00:20:47Z"
                     Destination="https://IdPdomain"
                     >
    <saml:Issuer>https://moodledomain/auth/saml2/sp/metadata.php</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">validuser@email.com</saml:NameID>
    <samlp:SessionIndex>id-t4NmuHETnY4gQHS5UQwYXy2kv1HmXkbxdYBBT1tZ</samlp:SessionIndex>
</samlp:LogoutRequest>

Hoping to make this a setting in the SAML app, to expose setting/unsetting these attributes so the user can successfully logout.

Using the docs: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote.html - tried setting multiple config settings in https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/config/config.php or https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/config/authsources.php without any luck.

For testing, I had to edit the following lib files directly (might have been one more) https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php#L601 https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/modules/saml/lib/IdP/SAML2.php#L1270 https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/.extlib/simplesamlphp/modules/core/lib/Auth/Process/TargetedID.php#L151

jwalits commented 10 months ago

We "fixed" this issue by setting "Expose Nameid as attribute" setting to "No" and exposing the email address as a regular field value in the saml response from the IdP side.

Probably no need for any further code changes at this stage.