search

omniauth / omniauth-saml

A generic SAML strategy for OmniAuth
https://github.com/omniauth/omniauth-saml
Other
331 stars 205 forks source link

Single Log Out (SLO) Not Redirecting #173

Closed cwseric closed 5 years ago

cwseric commented 5 years ago

Hello,

I am needing to use SLO in my app and am having an issue after the IdP validates my logout request. The app appears to close out all the connections but will get stuck at a page with Redirecting to ... after it returns from the IdP.

screen shot 2018-11-12 at 3 19 53 pm

Any help on where the Redirecting to ... is coming from and/or possibly where I can set a different redirect to url would be wonderful.

Below are my files and logs.

production log file

Started DELETE "/users/sign_out" for 10.0.0.1 at 2018-11-12 21:00:34 +0000
Processing by SessionsController#destroy as HTML
  Parameters: {"authenticity_token"=>"gS8w/o2xmErAB8gMwQnPZXEz65vHf/zfbQjxJDeREj998SDhDFm2X1egldlFBXmT5daSxL5okbSkUwDm4iSpyQ=="}
  User Load (0.4ms)  SELECT  `users`.* FROM `users` WHERE `users`.`id` = 5 ORDER BY `users`.`id` ASC LIMIT 1
   (0.1ms)  BEGIN
   (0.1ms)  COMMIT
  Site Load (0.3ms)  SELECT  `sites`.* FROM `sites` WHERE `sites`.`id` = 1 LIMIT 1
Redirected to https://mysite.com/users/auth/saml/spslo
Completed 302 Found in 5ms (ActiveRecord: 1.0ms)
Started GET "/users/auth/saml/spslo" for 10.0.0.1 at 2018-11-12 21:00:34 +0000
Created SLO Logout Request: <samlp:LogoutRequest Destination='https://mysite.samlidp.io/saml2/idp/SingleLogoutService.php' ID='_5fe1caf1-890b-4b7b-9dc3-ef50fc10a961' IssueInstant='2018-11-12T21:00:34Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>https://mysite.com</saml:Issuer><saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>_a747cb547d2bb3c92c8ee99d37aef5b489c1b0685e</saml:NameID></samlp:LogoutRequest>
Started POST "/users/auth/saml/slo" for 10.0.0.1 at 2018-11-12 21:02:44 +0000

devise.rb file

config.omniauth :saml,
      assertion_customer_service_url: "https://mysite.com/users/auth/saml/callback",
      single_logout_service_url: "https://mysite.com/users/auth/saml/slo",
      idp_cert: provider.cert,
      idp_sso_target_url: provider.target_url,
      idp_slo_target_url: provider.sso_logout_url,
      issuer: "https://saml.cws.net",
      private_key: File.read("/var/www/mysite.com/ssl/selfsigned.key"),
      certificate: File.read("/var/www/mysite.com/ssl/selfsigned.pem"),
      allowed_clock_drift: 5,
      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

routes.rb

Rails.application.routes.draw do
  #devise_for :users
  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks', sessions: 'sessions' }

  root 'home#index'
end

sessions_controller.rb

class SessionsController < Devise::SessionsController

  def destroy
    #preserve the saml_uid in the session
    saml_uid = session["saml_uid"]

    super do
      session["saml_uid"] = saml_uid
    end
  end

  def after_sign_out_path_for(_)
    @site = Site.find_by_id(1)
    if session['saml_uid'] && @site.sso_logout_url
      user_saml_omniauth_authorize_path + "/spslo"
    else
      super
    end
  end

end

Thanks Eric

cwseric commented 5 years ago

I figured out the issue. If you're doing SLO you need to use the following in your devise.rb file.

slo_default_relay_state: "something"

"Something" will route to a path similar to /auth/saml/something

topherfangio commented 1 year ago

For anyone else who visits this page, here is how I got this working in my Rails 7 application:

    :slo_default_relay_state => Proc.new { Rails.application.routes.url_helpers.login_url },