"SLO Endpoint missing..." warning with GSuite

[hodak]

I can successfully connect samly with GSuite SAML app, but I receive a warning when starting a server:

[warn] [Samly] SLO Endpoint missing in [nil]

I'm not an expert with SAML-specification, but that is a metadata XML file that's downloadable from G Suite:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C037nq81l" validUntil="2023-06-21T10:53:36.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>xxx</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=C037nq81l"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C037nq81l"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Since it works fine, is this warning necessary?

Related issue: https://github.com/handnot2/samly/issues/36

[handnot2]

Edited title to change "error" to "warning".

The entity descriptor XML you included shows that the "Single Logout" (SLO) endpoint is not included. This indicates that you cannot initiate a "single logout" from your application. This is a scenario where the same end user is working with multiple applications that participate in a "single sign-on" with that IdP. SLO initiated from an application could be propagated to other applications that the end user is currently signed into depending on how the IdP is setup. Since there is no SLO endpoint in the Idp metadata XML, the logout initiated in your application via Samly will be a local logout.

The warning message in the log is to make this explicit so the developer is aware of this. Hope this makes it clear.

[hodak]

The thing is that I, as a developer, can't do anything about it, really. The explanation from the issue is

Some Shibboleth IdP installations may have the SLO endpoint information commented out in their IdP metadata file.

but I don't think it should be a responsibility of samly to warn about Shibboleth config.

At the very least, I think there should be a way to suppress this warning with a config for applications that don't use SLO.

[handnot2]

@hodak can you check the SAML requests sent to your IdP by using the SAML tracer firefox plugin? Do you see a SAML logout request going to your IdP even when you see this warning. Would appreciate our response on this.

[handnot2]

I am considering removing this warning when the SLO endpoints are not present in the IdP metadata XML file and instead do the following for local signout or SLO:

• Accept a query parameter local=1 (a non-empty value really) for the sign-out button/link /sso/auth/signout?local=1&target_url=...
• If this local non-empty sign-out query parameter is present, do not make a logout request to IdP. Use this when the IdP doesn't support single logout. User session created by the samly based app will still be invalidated and user signed out. Typically the end users are recommended to close all browser windows in this case to make sure that any IdP session if any is cleared.
• If this local parameter is not present in the signout URI (this is the default behavior) a logout SAML request is sent to IdP. Samly will fail and report an error if the SLO endpoints are not defined in the IdP metadata XML in this case.