search

chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 57 forks source link

Logout function not working #10

Open parakrama opened 8 years ago

parakrama commented 8 years ago

Hi

SSO function works perfectly fine , but when user try to signout from redmine , its not working

saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redminesso.ihk.com/auth/saml/callback", # The redmine application hostname
    :issuer                         => "https://redminesso.ihk.com",                 # The issuer name
    :idp_sso_target_url             => "https://172.16.2.14:9443/samlsso", # SSO login endpoint
    :idp_cert_fingerprint           => "6B F8 E1 36 EB 36 D4 A5 6E A0 5C 7A E4 B9 A4 5B 63 BF 97 5D", # SSO ssl certificate fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :signout_url                    => "https://172.16.2.14:9443/samlsso",
    :idp_slo_target_url             => "https://172.16.2.14:9443/samlsso",
    :name_identifier_value          => "mail", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
       :login      => 'http://wso2.org/claims/emailaddress',
       :firstname  => 'http://wso2.org/claims/givenname',
       :lastname   => 'http://wso2.org/claims/lastname',
       :mail       => 'http://wso2.org/claims/emailaddress'
    }

}

  config.on_login do |omniauth_hash, user|
    # Implement any hook you want here
  end
end

Authentication Saml response it properly have the Session index value

 </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-05-14T13:37:03.639Z"
                          NotOnOrAfter="2016-05-14T13:42:03.639Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://redminesso.ihk.com</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2016-05-14T13:37:03.641Z"
                              SessionIndex="2fffb2d6-38b9-453a-ac73-e99a4bb06487"
                              >
            <saml2:AuthnContext>

But when generating the Logout request SAML response dont have the Session index value 

<samlp:LogoutRequest Destination="https://172.16.2.14:9443/samlsso"
                     ID="_eb506f40-fc06-0133-8f7c-0050569a3be9"
                     IssueInstant="2016-05-14T13:37:26Z"
                     Version="2.0"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <saml:Issuer>https://redminesso.ihk.com</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mail</saml:NameID>
</samlp:LogoutRequest>

And from the IDP side it print the following log 

TID: [-1234] [] [2016-05-14 19:07:26,101] ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor} -  Session Index validation for Logout Request failed. Received: [null]. Expected: [2fffb2d6-38b9-453a-ac73-e99a4bb06487]

Can you please advice regarding this , is it due reconfiguration of saml.rb or its due to bug ?

parakrama commented 8 years ago

Hi And one more thing ,

In logout request it need to send the users mail address in the filed 

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">mail</saml:NameID>"     .

instead of "mail"

Is there any reason for that ?

Thank You

chrodriguez commented 8 years ago

I'know, but there are some issues in the gems dependencies to be solved. I'll check them. Thanks for your help!

rozmarbeka commented 8 years ago

I configured the logout urls but if I click on logout link an AuthnRequest sent to SSO.

<samlp:AuthnRequest 
    AssertionConsumerServiceURL='http://issues.bud01.atlasoft.lan' 
    Destination='http://auth.bud01.atlasoft.lan/simplesaml/saml2/idp/SSOService.php' 
    ID='_11fac030-7f56-0134-5ce0-126d35dbd279' 
    IssueInstant='2016-10-28T16:04:03Z' 
    Version='2.0' 
    xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' 
    xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
    <saml:Issuer>http://issues.bud01.atlasoft.lan</saml:Issuer>
    <samlp:NameIDPolicy 
        AllowCreate='true' 
        Format='urn:oasis:names:tc:SAML:2.0:nameid-format:email'/>
</samlp:AuthnRequest>

Did you have similar issue or have any idea why?

triplem commented 7 years ago

I do have the same issue. I would accept a dirty workaround in which this field is always filled with the mail-field. This possible?

pitbulk commented 7 years ago

Hi @chrodriguez, If there is any issue related to ruby-saml, please let me know,

In order to execute a Single Logout Request with NameID and SessionIndex, all you need to do is to save in the session at the Assertion Consumer Service endpoint the SessionIndex, NameId value and NameIdFormat.

You can retrieve them using:

Later when you are generating a LogoutRequest, you need to pass those stored values to the constructor by the settings object:

So in the sp_logout_request method, after getting a copy of the omniauth_saml_settings at settings, update that object with the values previously mentioned with the values stored on the session.

chrodriguez commented 7 years ago

I'am really busy by the moment... Can you contribute with the plugin writing the necessary code an creating a pull request?