Closed staeglis closed 7 years ago
Update to server configuration: nginx is only reverse proxy, php is running apache (mod_php)
Additional steps for different behavior:
The different behavior is IMO the same as in this issue
You probably mean issue #45
I can see the error messages also if the user is logging in. Maybe this has something to do with the new attribute assignment functionality? I tried this out but it isn't working too.
Attribute assignment is now working, but the messages and the problem aren't gone.
I have the same issue and at least implemented a workaround for this error. I added the @NoCSRFRequired attribute to the singleLogoutService in apps/user_saml/lib/Controller/SAMLController.php. Like this:
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function singleLogoutService() {
$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
$returnTo = null;
$parameters = array();
$nameId = $this->session->get('user_saml.samlNameId');
$sessionIndex = $this->session->get('user_saml.samlSessionIndex');
$this->userSession->logout();
$auth->logout($returnTo, $parameters, $nameId, $sessionIndex);
}
I think a CSRF check is not needed for this type of functionality - the user just gets logged out. Are there any security concerns or is this the proper way to do it?
Thank you for the hint. The logout initiated by an other SP is now working. But I hope in the end there will be a less general solution. But at the moment I can live with this.
Unluckily the logout directly from Nextcloud is still not working. @tbrandstetter Do you have also this problem or is the SAML Logout working in your Nextcloud installation.
@staeglis I'm still using Nextcloud 11 where the logout from Nextcloud is still working. I'm going to install Nextcloud 12 next week and take a look at it.
How about changing logout URL to be /index.php/apps/user_saml/saml/sls
when user_saml
is installed? If you use the URL in the browser, SAML logout is initiated properly.
At the moment Nextcloud 12.0.0 uses /index.php/logout?requesttoken=...
.
@KamilWo Interesting point. How was the logout URL in Nextcloud 11? I don't remember
Excuse me for the interruption - but I have the same issue - and as you asked about 11.
I can confirm that Nextcloud 11.0.3 uses the logout url /index.php/apps/user_saml/saml/sls?requesttoken=... and succeeds in logging out, but Nextcloud 12.0.0.29 has /logout?requesttoken=... (i.e. no index.php in the url).
I can also confirm that using the 11.0.3 location in 12.0.0.29 successfully logs out the session/
As workaround I've created an external site link to /index.php/apps/user_saml/saml/sls
@NeilWJames Thank you for the confirmation.
@staeglis The URL /index.php/apps/user_saml/saml/sls
was the single logout URL in Nextcloud 11.
Regression introduced with https://github.com/nextcloud/server/commit/054e161eb5f4a5c5c13ee322ae8e93ce66f01b13.
Thank you for the fix @LukasReschke For the stable version 12.0.2, who needs SAML log out working, monkey patched solution until the update, then you can find in file nextcloud/lib/private/NavigationManager.php
the line 'core.login.logout',
(no. 196), comment that out in case you need it later, then put in next line: 'user_saml.SAML.singleLogoutService',
. Hope this helps.
I confirm the fix is working fine. Thank you, much appreciated.
I am have Nextcloud 12.0.4 configured with SSO. The bug remains and the above monkey patch is no longer relevant. Any additional info I can provide?
Steps to reproduce
Expected behaviour
The user should be logged out
Actual behaviour
The user is still be logged in
Server configuration
Operating system: Linux
Web server: nginx (maybe only as proxy)
Database: MySQL
PHP version: 7.0.19
Nextcloud version: 12.0
Where did you install Nextcloud from: tar.gz
List of activated apps: Standard Apps + user_saml
Nextcloud configuration:
<?php $CONFIG = array ( 'instanceid' => '', 'passwordsalt' => '', 'secret' => '', 'trusted_domains' => array ( 0 => 'nextcloud.xyz.de', ), 'datadirectory' => '/var/www/vhosts/xyz.de/nextcloud.xyz.de/nextcloud/data', 'overwrite.cli.url' => 'https://nextcloud.xyz.de/nextcloud', 'dbtype' => 'mysql', 'version' => '12.0.0.29', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbtableprefix' => 'oc_', 'dbuser' => 'nextcloud', 'dbpassword' => '(', 'logtimezone' => 'UTC', 'installed' => true, 'mail_from_address' => 'webmaster', 'mail_smtpmode' => 'php', 'mail_domain' => 'xyz.de', 'maintenance' => false, 'updater.release.channel' => 'production', 'theme' => '', 'loglevel' => 2, 'updater.secret' => '', );
Client configuration
Browser: Firefox, Chromium
Operating system: Ubuntu 16.04
Logs
Nextcloud log (data/owncloud.log)
3,"time":"2017-05-23T07:39:52+00:00","remoteAddr":"1.2.3.4","user":"--","app":"PHP","method":"POST","url":"\/nextcloud\/index.php\/apps\/user_saml\/saml\/acs","message":"Undefined offset: 1 at \/var\/www\/vhosts\/xyz.de\/nextcloud.xyz.de\/nextcloud\/apps\/user_saml\/lib\/userbackend.php#416","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko\/20100101 Firefox\/53.0","version":"12.0.0.29"} {"reqId":"WSPnSH8AAQEAADV6AYgAAAAH","level":3,"time":"2017-05-23T07:39:52+00:00","remoteAddr":"1.2.3.4","user":"--","app":"PHP","method":"POST","url":"\/nextcloud\/index.php\/apps\/user_saml\/saml\/acs","message":"Invalid argument supplied for foreach() at \/var\/www\/vhosts\/xyz.de\/nextcloud.xyz.de\/nextcloud\/apps\/user_saml\/lib\/userbackend.php#394","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko\/20100101 Firefox\/53.0","version":"12.0.0.29"}
Browser log