search

iwayvietnam / zm-sso

Zm SSO is the Zimbra Collaboration Open Source Edition extension for single sign-on authentication to the Zimbra Web Client.
GNU Affero General Public License v3.0
14 stars 20 forks source link

Single Logout Response Missing RelayState #13

Open msaksak opened 9 months ago

msaksak commented 9 months ago

When I terminate the session from any of the service providers with multiple logins, a saml single session logout request is sent to the identity provider, single logout is initiated and the identity server makes a request to the single logout service of each service provider. When sending the request from the identity server, SAMLRequest and RelayState two parameters are sent, the identity server expects the RelayState Parameter with SAMLResponse after the service provider logs out. But after logout, only SAMLResponse returns to the identity server and since there is no RelayState Parameter on the IDP side, it causes an error and session termination is interrupted.

Is it possible to return the RelayState parameter and value sent during the request to the identity provider in the logout response?

See section 3.4.3 RelayState of the SAML bindings document: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for the HTTP-Redirect binding:

3.4.3 RelayState

RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message independent of any other protections that may or may not exist during message transmission. Signing is not realistic given the space limitation, but because the value is exposed to third-party tampering, the entity SHOULD ensure that the value has not been tampered with by using a checksum, a pseudo-random value, or similar means. If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response. If no such value is included with a SAML request message, or if the SAML response message is being generated without a corresponding request, then the SAML responder MAY include RelayState data to be interpreted by the recipient based on the use of a profile or prior agreement between the parties
tuxcrafter commented 9 months ago

I would also like to see the SLO improved.