Closed dennismeissner closed 4 years ago
Sounds like you are using a Craft multi-site config (possibly similar to #72).
Step 1: If you specify the IdP UID for id.domain-2.com, you should be taken to id.domain-2.com. Please verify (double check) that this is happening.
Step 2: Also, until I figure out how to solve #72, you do need to configure a SP provider for each Craft site you are using SAML with. The dynamic Entity IDs is an ID to simply tell the plugin which provider to use as itself/home/the SP provider. Then configure the IdP with the corresponding SP config. Is this how you have it configured? You should have 4 providers configured on the Craft side.
Hey @dsmrt,
yes, i do have 2 Service Provider for each domain. and i do have 2 idp entries.
Where in your code does the logout redirect happen? i could debug in there and see which domain is being called. Just to make sure.
At the moment i can see: coming from domain-1.com -> ending in id.domain2.com
It happens in the core lib here: https://github.com/flipboxfactory/saml-core/blob/3.0.1/src/controllers/messages/AbstractLogoutController.php#L152
ok, if i request domain-2.com/sso/logout/request the destination URL is id.domain-1.com which is fine cause it is determined automatically.
if i request domain-1.com/sso/logout/request/
if i use domain-2.com/sso/logout/request/
if i use domain-2.com/sso/logout/request/
-> i don't get into request method at all
Are you just getting a 404 here?
I wonder if my UID regex isn't working with your uid. Maybe the regex is too specific?
See https://github.com/flipboxfactory/saml-core/blob/3.0.1/src/AbstractPlugin.php#L312
Nope, in this case it does redirect to the correct idp, but when redirecting to domain-1.com i don't get logged out locally.
Why does it not step into actionRequest?
Also checked the uuid regex. looks like it is being matched. UID: 80cc685a-7ec2-4839-8e33-82a3fa619ca8
I'm not able to replicate this behavior. You should definitely be getting into the actionRequest
. I might be a little confused at what is going on at this point. Maybe you can contact us here: https://www.flipboxdigital.com/contact
Then I might have you share a screen capture.
i have set up my entityId in saml-sp.php like this:
return [
'entityId' => $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . '/'
];
i can get a breakpoint in the \flipbox\saml\core\services\bindings\Factory::send() i does redirect, but it is not called from \flipbox\saml\core\controllers\messages\AbstractLogoutController::actionRequest()
i will have a closer look tonight, but maybe i reach you tomorrow through the contact form.
hey @dsmrt,
got it working but it is totally weird.
i have this setting in my general.php config file:
'logoutPath' => (
in_array($_SERVER['HTTP_HOST'], [ ' localdomain-2.com', 'domain-2.com' ]) ?
'/sso/logout/request/' . getenv('SAML_DOMAIN_2_ID') :
'/sso/logout/request/' . getenv('SAML_DOMAIN_1_ID')
),
if i remove this part complete and don't set any logoutPath in general.php, the /sso/logout/request/
if i add this part of configuration, i land in some wird redirects.
no matter what... works, closed :D
Dear @dsmrt,
i stumbled across an issue which i cannot resolve by myself. If i have 2 identity providers and am using a dynamic entityId, i cannot use SLO.
E.G: Scenario 1: Domain: domain-1.com IDP: id.domain-1.com
Scenario 2: Domain: domain-2.com IDP: id.domain-2.com
if i can give you any more details or whatever please let me know.