search

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS
https://saml-sp.flipboxfactory.com/
Other
19 stars 5 forks source link

When CraftCMS Logout Variable is updated to /sso/logout/request, no SLO occurs #8

Closed AANP-ITSupport closed 6 years ago

AANP-ITSupport commented 6 years ago

It's me again!

In CraftCMS's config/general.php, you can set the login and logout URL paths for use in templates. 

return [
    // Global settings
    '*' => [
        // Default Week Start Day (0 = Sunday, 1 = Monday...)
        'defaultWeekStartDay' => 0,

        // Enable CSRF Protection (recommended)
        'enableCsrfProtection' => true,

        // Whether generated URLs should omit "index.php"
        'omitScriptNameInUrls' => true,

        // Control Panel trigger word
        'cpTrigger' => 'XXXXXXXXXXXXX',

        // The secure key Craft will use for hashing and encrypting data
        'securityKey' => getenv('SECURITY_KEY'),

        'loginPath' => '/sso/login/request',

        'logoutPath' => '/sso/logout/request',
    ],

Example Twig Template usage:

<a href="{{ loginUrl }}">Login</a> <a href="{{ logoutUrl }}">Logout</a>

I updated the loginPath and logoutPath to point to /sso/login/request and /sso/logout/request, and this affects this twig variables, loginUrl and logoutUrl.

The Login process works just fine.

The Logout process seems to just skip over the entire SAML SP Logout process, but it does log out of Craft. I can tell it's not hitting the IdP for logout (no redirects). I have triple checked and the URL is set to /sso/logout/request when I click it.

BUT - If I remove the configuration in general.php for logoutPath, AND change from using the twig variable {{ logoutUrl }} to "/sso/logout/request"

<a href="/sso/logout/request">Logout</a>

It works just fine.

The important part is removing the configuration setting in general.php. If it's set to /sso/logout/request, then even manually entering the URL in the browser to /sso/logout/request doesn't work.

Obviously I can just set it manually or create a non-standard global variable to use throughout my templates. ( {{ ssoLogoutUrl }} )

Somewhere along the way, Craft is intercepting the SLO request, and treating it as a "normal" logout request.

Not sure if that is "working as expected" or not. Definitely needs some clarification as I can bet this is how most individuals would go about setting up their systems.

dsmrt commented 6 years ago

Hey You!

I think I tested that at one point and discover the same thing.

I've been doing what you are doing by pointing to the request endpoint directly BUT it might be nice for the plugin to provider a twig variable so your aren't just hard coding that. Who knows, that might change or be customizable.

Doing the <a href="/sso/logout/request">Logout</a> button/link is actually how I suggest within the documentation (see https://flipboxfactory.github.io/saml-sp/configure/logout/). So I'm glad that is working for you.

So this is working as intended. Hopefully this helps. I'll add a issue for the plugin variable so you can pull the sso endpoints.

Thanks for the feedback!

dsmrt commented 6 years ago

@AANP-ITSupport feel free to track the issue above and add any input there.