SSO Logout: Only works with general config sameSiteCookieValue('None')

[d--j]

If one sets sameSiteCookieValue to anything other than None (including null – the default – in modern browsers see web.dev) SLO logout does not work.

Since the logout uses the session to store the SAML message ID, the SLO response will fail at this line https://github.com/flipboxfactory/saml-core/blob/d97a39bb23ef0b910b78c7f7463fb5e5b11164e9/src/controllers/messages/AbstractLogoutController.php#L73 . The SAML response will come from an external request so the session cookie will not be available for this action.

You might want to add this information to the documentation.

I only changed the session cookie sameSite via config/app.web.php:

return [
    'components' => [
        // The session cookie needs to be SameSite=None otherwise the SSO logout does not work
        'session' => function() {
            $config = craft\helpers\App::sessionConfig();
            $config['cookieParams']['sameSite'] = 'None';
            return Craft::createObject($config);
        },
    ],
];

[dsmrt]

Thanks for the detailed and concise issue. This seems like a good thing to document like you recommended so thanks for sharing. I’m going to do some validation and update things here.

[dsmrt]

Hey @d--j ,

I'm actually not able to replicate this. Do I have this configured right to replicate what you're seeing?

Here is my config/app.php:

use craft\helpers\App;
return [
    'components' => [
        'session' => function() {
            $config = craft\helpers\App::sessionConfig();
            $config['cookieParams']['sameSite'] = 'None';
            return Craft::createObject($config);
        },
    ],
    'id' => App::env('CRAFT_APP_ID') ?: 'CraftCMS',
];

SLO is working for me as expected.

[dsmrt]

Also, I added a twig help for the logout url. See some docs here: https://saml-sp.flipboxfactory.com/configure/logout.html#twig-logout-url-extension