handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.
MIT License
128 stars 94 forks source link

"SLO Endpoint missing..." warning with GSuite #44

Open hodak opened 5 years ago

hodak commented 5 years ago

I can successfully connect samly with GSuite SAML app, but I receive a warning when starting a server:

[warn] [Samly] SLO Endpoint missing in [nil]

I'm not an expert with SAML-specification, but that is a metadata XML file that's downloadable from G Suite:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C037nq81l" validUntil="2023-06-21T10:53:36.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>xxx</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=C037nq81l"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C037nq81l"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Since it works fine, is this warning necessary?

Related issue: https://github.com/handnot2/samly/issues/36

handnot2 commented 5 years ago

Edited title to change "error" to "warning".

The entity descriptor XML you included shows that the "Single Logout" (SLO) endpoint is not included. This indicates that you cannot initiate a "single logout" from your application. This is a scenario where the same end user is working with multiple applications that participate in a "single sign-on" with that IdP. SLO initiated from an application could be propagated to other applications that the end user is currently signed into depending on how the IdP is setup. Since there is no SLO endpoint in the Idp metadata XML, the logout initiated in your application via Samly will be a local logout.

The warning message in the log is to make this explicit so the developer is aware of this. Hope this makes it clear.

hodak commented 5 years ago

The thing is that I, as a developer, can't do anything about it, really. The explanation from the issue is

Some Shibboleth IdP installations may have the SLO endpoint information commented out in their IdP metadata file.

but I don't think it should be a responsibility of samly to warn about Shibboleth config.

At the very least, I think there should be a way to suppress this warning with a config for applications that don't use SLO.

handnot2 commented 5 years ago

@hodak can you check the SAML requests sent to your IdP by using the SAML tracer firefox plugin? Do you see a SAML logout request going to your IdP even when you see this warning. Would appreciate our response on this.

handnot2 commented 5 years ago

I am considering removing this warning when the SLO endpoints are not present in the IdP metadata XML file and instead do the following for local signout or SLO: