Single Sign off, is not working!!

[naamaan]

Describe the bug The single sign off feature is not signing out the user from other applications opened sessions!

To Reproduce

• Linking our Moodle 3.10 (as SP) and an PHP application (as another SP) to single IDP,
• Enabling the Single Sign Off options in the plugin settings,
• Logging out of Moodle is working, but it doesn't affects the other application?!

Expected behavior Logging out of all applications not only the Moodle.

Any help please,

[mfprimo]

Hi, Single Logout (SLO) is a tricky subject. Please ensure you fully understand how SLO works, then using a SAML tracer plugin (or the browser developer tools) check that:

• after the click on "Logout" you should open the /login/logout.php Moodle page and then be redirected to your IdP SLO service endpoint
• your IdP should redirect to each SLO endpoint of SP you are logged in
• then you should return to first Moodle site If this not happens, probably your metatada are incorrect. Note that if the application protected by your SP hasn't a way to link local SSO session killing with the application session one, SLO will not work as you expected: application session will remain alive, but a new SSO authentication will fail.

However, due to some change in both SimpleSAMLPHP and Moodle libraries, the SLO feature require an update.

[naamaan]

Hi, and first of all, thanks a lot for your declaration,

But let me understand the following, shouldn't this option 'Single Sign Off' in the settings page do this trick for us? If not, what is its purpose?

Is there any extra settings we should do in the IDP configuration to activate this 'Single Sign Off' option?

Best regards,

[mfprimo]

The option "Single Sign Off" enable Moodle to ask to the IdP to start a Single LogOut (in SAML idiom) process.

If you use the browser developer tools and after clicking on "Logout" you can see a HTTP request for your IdP with a parameter ?SAMLRequest=.... the problem is not in the plugin because is up to the IdP to contact all SP involved to trigger session destroy. If the SLO request for the IdP doesn't start, please report all HTTP operations you can see.

There are several possible reason why sessions in other application are still alive:

• the application is not design to work in a SSO context and it doesn't expose an endpoint to IdP or an handle to SP library capable to kill sessions: this is a frequent case; even Moodle with our plugin behaves in this way because architectural mismatch between Moodle and SimpleSAMLphp, and so does Drupal, many Shibboleth-enable applications, etc...
• SP metadata are incorrect and the IdP doesn't send the LogoutRequest to the application
• session is actualy killed, but a wrong interaction with the SP module result in a new silent login
• if you develop the PHP application using SimpleSAMLphp or other SAML libraries, you can check that one of these are true: use the same session manager of the SP library or in case of SimpleSAMLphp, register a logoutHandler or ** check for every page if the SSO session is still alive

[naamaan]

Hi,

Clicking the "Logout" didn't produce HTTP request for the IdP with a parameter ?SAMLRequest=....

Please see the exported file from the developer tool llc.svuonline.org.har.zip

Also, logging out didn't leave any trace into neither the IDP nor the SP log files!!??

[naamaan]

Hi,

Please notice that the request for the IdP with a parameter ?SAMLRequest=.... appears when trying to logout from the default SP "Logout button", which is BTW the same SP our Moodle is connected to! What might this infer?

And here is the log registered in the SP and IDP log files when doing the logout:

The SP log

Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Session: doLogout('default-sp')
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Session: 'default-sp' not valid because we are not authenticated.
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Saved state: '_4c01bc6c3dfd656b601a85ce1b9cb22caae009a6ae'
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Sending message:
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_931655f43891da6b1b8c763725b052fb87285c5a00" Version="2.0" IssueInstant="2021-09-02T21:18:30Z" Destination="https://llc.svuonline.org/sso/saml2/idp/SingleLogoutService.php">
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]   <saml:Issuer>https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]   <saml:NameID SPNameQualifier="https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_068851484a9556d9e89986d11aa2fa6c58f355e50f</saml:NameID>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]   <samlp:SessionIndex>_f6ee89465ff84b3b6fbbf9c44bb0c4047a3921f669</samlp:SessionIndex>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] </samlp:LogoutRequest>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Redirect to 689 byte URL: https://llc.svuonline.org/sso/saml2/idp/SingleLogoutService.php?SAMLRequest=lZJRi9wgFIX%...3D%3D&RelayState=_4c01bc6c3dfd656b601a85ce1b9cb22caae009a6ae
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Received message:
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_72166482fea34d699310664598519be0d30565fb1e" Version="2.0" IssueInstant="2021-09-02T21:18:30Z" Destination="https://llc.svuonline.org/sp/module.php/saml/sp/saml2-logout.php/default-sp" InResponseTo="_931655f43891da6b1b8c763725b052fb87285c5a00">
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]   <saml:Issuer>https://llc.svuonline.org/sso/saml2/idp/metadata.php</saml:Issuer>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]   <samlp:Status>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0]   </samlp:Status>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] </samlp:LogoutResponse>
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Loading state: '_4c01bc6c3dfd656b601a85ce1b9cb22caae009a6ae'
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Deleting state: '_4c01bc6c3dfd656b601a85ce1b9cb22caae009a6ae'
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Localization: using old system
Sep 03 00:18:30 ssp-sp DEBUG [5aae42dcb0] Translate: Reading dictionary [/var/sspsp/dictionaries/logout]

The IDP log

Sep 03 00:18:30 ssp-idp INFO [9affd1a304] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Received message:
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_931655f43891da6b1b8c763725b052fb87285c5a00" Version="2.0" IssueInstant="2021-09-02T21:18:30Z" Destination="https://llc.svuonline.org/sso/saml2/idp/SingleLogoutService.php">
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]   <saml:Issuer>https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]   <saml:NameID SPNameQualifier="https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_068851484a9556d9e89986d11aa2fa6c58f355e50f</saml:NameID>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]   <samlp:SessionIndex>_f6ee89465ff84b3b6fbbf9c44bb0c4047a3921f669</samlp:SessionIndex>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] </samlp:LogoutRequest>
Sep 03 00:18:30 ssp-idp INFO [9affd1a304] Received SAML 2.0 LogoutRequest from: 'https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp'
Sep 03 00:18:30 ssp-idp NOTICE STAT [9affd1a304] saml20-idp-SLO spinit https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp https://llc.svuonline.org/sso/saml2/idp/metadata.php
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Saved state: '_5af61843c165bcaaebb2906ac0f1373c0f5b20f15e'
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Session: Valid session found with 'llc-sql'.
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Session: doLogout('llc-sql')
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Session: 'llc-sql' not valid because we are not authenticated.
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Loading state: '_5af61843c165bcaaebb2906ac0f1373c0f5b20f15e'
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Sending logout response to SP 'https://llc.svuonline.org/sp/module.php/saml/sp/metadata.php/default-sp'
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Sending message:
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_72166482fea34d699310664598519be0d30565fb1e" Version="2.0" IssueInstant="2021-09-02T21:18:30Z" Destination="https://llc.svuonline.org/sp/module.php/saml/sp/saml2-logout.php/default-sp" InResponseTo="_931655f43891da6b1b8c763725b052fb87285c5a00">
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]   <saml:Issuer>https://llc.svuonline.org/sso/saml2/idp/metadata.php</saml:Issuer>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]   <samlp:Status>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304]   </samlp:Status>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] </samlp:LogoutResponse>
Sep 03 00:18:30 ssp-idp DEBUG [9affd1a304] Redirect to 598 byte URL: https://llc.svuonline.org/sp/module.php/saml/sp/saml2-logout.php/default-sp?SAMLResponse=fZJNa8MwDIb%....2FfZPcF&RelayState=_4c01bc6c3dfd656b601a85ce1b9cb22caae009a6ae

Best regards,