onelogin / drupal-saml

MIT License
14 stars 17 forks source link

SP-Intiated SLO - need to destroy session before requesting SLO #19

Closed cagedartist closed 9 years ago

cagedartist commented 9 years ago

When Logout is initiated from Drupal, it looks like the onelogin_saml Drupal module doesn't actually destroy the user's session until the Logout Response comes back from the IdP. (The initial Drupal logout is interrupted when the module's user_logout_hook redirects and exits.)

When the Logout Response doesn't come back, users are not logged out - and these users probably don't know they aren't logged out. Worst-case scenario is when the IdP session has timed out. In this case, the user ends up at the Login page of the IdP. The Logout Response never comes back. The user cannot log out of Drupal unless he logs back in to the IdP and then logs out.

IdP = Onelogin, in my case. I can provide a trace, if desired.

pitbulk commented 9 years ago

Why the Logout Response doesn't come back?

The issue that you reported is the common SLO problem related to SAML.

But at the SAML workflow for SAML SSO Web Profile, the session of the application is destroyed once the Logout Response arrives and not before.

cagedartist commented 9 years ago

The example I gave is a common one: The session at the IdP has timed out. In this case, OneLogin does not return a response. We need to have a longer local session for our Drupal app, so this situation will frequently happen.

It seems like your Moodle plug-in - which we are also using - does destroy the user’s local session before requesting SLO from the IdP.

Not sure what you mean by "But at the SAML workflow for SAML SSO Web Profile, the session of the application is destroyed once the Logout Response arrives and not before.” Are you saying that the SAML specification mandates this? (That would be news to me.) Or that the Drupal module behaves this way? (Which I know.)

On May 27, 2015, at 4:51 PM, Sixto Martin notifications@github.com wrote:

Why the Logout Response doesn't come back?

The issue that you reported is the common SLO problem related to SAML.

But at the SAML workflow for SAML SSO Web Profile, the session of the application is destroyed once the Logout Response arrives and not before.

— Reply to this email directly or view it on GitHub https://github.com/onelogin/drupal-saml/issues/19#issuecomment-106070337.

cagedartist commented 9 years ago

See line 1218 in the current SAML Specification (I'm reading the pdf version). It says "The SP sp1.example.com destroys the local authentication session state for the user and then sends the idp.example.org identity provider a SAML message requesting that the user's session be logged out."

This prevents an accident that might leave the user logged in without their knowledge.

pitbulk commented 9 years ago

@cagedartist, thanks for reporting this issue.

At the OneLogin platform we are reviewing the session time out issue. And you were right, in the way how the SP-Intiated SLO workflow should work. I mistook the flows.

I will fix that asap.

pitbulk commented 9 years ago

@cagedartist, please let me know if that commit solved your issue.

cagedartist commented 9 years ago

Thanks. I’ve done some testing. The change destroys the user session before redirecting, so it fixes the worst-case scenario. User is always logged out.

Not sure this is related — it might be a different issue: I’ve had a problem with the drupal_saml_login cookie. I had to disable the cookie code to get SLO to work. Other departments at the college have reported the same problem. The code and logic seem simple, but I’ve found that the cookie value is 1 when it should be 0 (user has logged out) and it’s missing when it should be 1 (user is logged in with SSO). It looks like the purpose of the cookie is to avoid SLO if the user has logged in locally. Correct?

pitbulk commented 9 years ago

Yes that was the case. Maybe you had some phantom cookie from a previous attempt. Please clean all cookies and let me know if something is wrong.