search

mcguinness / saml-idp

Simple SAML Identity Provider (IdP) for Node
MIT License
447 stars 172 forks source link

"Invalid Session Participant" - incorrect session index exception #60

Closed joshhubers closed 4 years ago

joshhubers commented 4 years ago

Thanks for the fantastic library, it's really helping out with what I'm trying to build.

I'm having an issue implementing logout from my currently in development SP. I can log in successfully, but when I go to log out using the slo endpoint with redirect, I get the following error:

Error: Invalid Session Participant
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:181:65
    at SessionParticipants.get (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\sessionParticipants\index.js:32:20)
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:178:39
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:295:5
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\utils.js:121:20
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\utils.js:76:16
    at c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:161:38
    at SessionParticipants.get (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\sessionParticipants\index.js:32:20)
    at Object.getCredentials (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\logout.js:159:41)
    at configureSigningCredentials (c:\Users\jhubers\Documents\Code\saml-idp\node_modules\samlp\lib\utils.js:74:13)

Looking at where the line is failing in the samlp library I see the following:

...
          options.sessionParticipants.get(requestData.issuer, requestData.sessionIndex, requestData.nameId, function (err, session) {
            if (err) { return next(err); }
            if (!session && !options.destination) { return next(new Error('Invalid Session Participant')); }
...

I have debugged'ed and looked at what values options.sessionParticipants has and what values requestData has.

The requestData.sessionIndex is misaligned with what is in options.sessionParticipants[...].sessionIndex so a user is never found.

I believe there is a missing or incorrect getParticipant in saml-idp with hashing the sessionIndex.

I say this because the samlp.sessionParticipants[...].sessionIndex is the hashed value of the requestData.sessionIndex that I am looking up.

For example,

I log in with the following information:

id:"identifier_1"
issuer:"https://myapp.org"
nameId:"saml.jackson@example.com"
nameIdFormat:"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sessionIndex:"1"

When I go to log out, I see that samlp sessionParticipants has the following participants:

nameId:"saml.jackson@example.com"
nameIdFormat:"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
serviceProviderId:"https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV"
serviceProviderLogoutURL:"/saml/slo"
sessionIndex:"1652171193"

And the requestData.sessionIndex is 1

joshhubers commented 4 years ago

Sorry - new to SAML. Turns out I was handing back to the logout the incorrect session index value. I did not realize it was included in the login response.