SLO not working properly

[dennismeissner]

Dear @dsmrt,

i stumbled across an issue which i cannot resolve by myself. If i have 2 identity providers and am using a dynamic entityId, i cannot use SLO.

E.G: Scenario 1: Domain: domain-1.com IDP: id.domain-1.com

• Access domain-1.com/sso/logout/request
• get redirected to id.domain-1.com logout hook
• get redirected to domain1-1.com -> logged out

Scenario 2: Domain: domain-2.com IDP: id.domain-2.com

• Access domain-2.com/sso/logout/request
• get redirected to id.domain-1.com logout hook
• error that under id.domain-1.com no metadata is found for domain-2.com

---

• if i disable either id.domain-1.com or id.domain-2.com both logouts work by their own
• I used the shorthand /sso/logout/request. i also used the UID version. Both don't work.
• could it be that the default logout is determined the wrong way in any case, if there are more than 1 idps?

if i can give you any more details or whatever please let me know.

[dsmrt]

Sounds like you are using a Craft multi-site config (possibly similar to #72).

Step 1: If you specify the IdP UID for id.domain-2.com, you should be taken to id.domain-2.com. Please verify (double check) that this is happening.

Step 2: Also, until I figure out how to solve #72, you do need to configure a SP provider for each Craft site you are using SAML with. The dynamic Entity IDs is an ID to simply tell the plugin which provider to use as itself/home/the SP provider. Then configure the IdP with the corresponding SP config. Is this how you have it configured? You should have 4 providers configured on the Craft side.

[dennismeissner]

Hey @dsmrt,

yes, i do have 2 Service Provider for each domain. and i do have 2 idp entries.

Where in your code does the logout redirect happen? i could debug in there and see which domain is being called. Just to make sure.

At the moment i can see: coming from domain-1.com -> ending in id.domain2.com

[dsmrt]

It happens in the core lib here: https://github.com/flipboxfactory/saml-core/blob/3.0.1/src/controllers/messages/AbstractLogoutController.php#L152

[dennismeissner]

ok, if i request domain-2.com/sso/logout/request the destination URL is id.domain-1.com which is fine cause it is determined automatically.

if i request domain-1.com/sso/logout/request/ -> get into request method, $theirProvider is correct

if i use domain-2.com/sso/logout/request/ -> i don't get into request method at all

[dsmrt]

if i use domain-2.com/sso/logout/request/ -> i don't get into request method at all

Are you just getting a 404 here?

[dsmrt]

I wonder if my UID regex isn't working with your uid. Maybe the regex is too specific?

See https://github.com/flipboxfactory/saml-core/blob/3.0.1/src/AbstractPlugin.php#L312

[dennismeissner]

Nope, in this case it does redirect to the correct idp, but when redirecting to domain-1.com i don't get logged out locally.

Why does it not step into actionRequest?

---

Also checked the uuid regex. looks like it is being matched. UID: 80cc685a-7ec2-4839-8e33-82a3fa619ca8

[dsmrt]

I'm not able to replicate this behavior. You should definitely be getting into the actionRequest. I might be a little confused at what is going on at this point. Maybe you can contact us here: https://www.flipboxdigital.com/contact

Then I might have you share a screen capture.

[dennismeissner]

i have set up my entityId in saml-sp.php like this:

return [
   'entityId' => $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . '/'
];

i can get a breakpoint in the \flipbox\saml\core\services\bindings\Factory::send() i does redirect, but it is not called from \flipbox\saml\core\controllers\messages\AbstractLogoutController::actionRequest()

i will have a closer look tonight, but maybe i reach you tomorrow through the contact form.

[dennismeissner]

hey @dsmrt,

got it working but it is totally weird.

i have this setting in my general.php config file:

'logoutPath' => (
    in_array($_SERVER['HTTP_HOST'], [ ' localdomain-2.com', 'domain-2.com' ]) ?
        '/sso/logout/request/' . getenv('SAML_DOMAIN_2_ID') :
        '/sso/logout/request/' . getenv('SAML_DOMAIN_1_ID')
),

if i remove this part complete and don't set any logoutPath in general.php, the /sso/logout/request/ and also /sso/logout/request/ both do work properly.

if i add this part of configuration, i land in some wird redirects.

no matter what... works, closed :D