Fail to use Single Logout with ADFS

[haroldyung]

Moodle version: 3.3.3 OneLogin SAML version: 2.4.2

I am using ADFS for SSO and the process of sign-on can run correctly! However, I found the Single Logout(SLO) always get below message.

error/auth_onelogin_saml: invalid_logout_response

Signature validation failed. Logout Response rejected

After checked the event logs in ADFS, I find the LogoutRequest sent to ADFS is incorrect. When I trace the SAML package, I find the information like nameId, sessionIndex and nameIdFormat which are required by ADFS in SLO are not be attached into the SAML package. So the package is rejected by ADFS as the format is incorrect.

In code at line 125 in auth/onelogin_saml/index.php, I see some lines are commented because session closed. My question is any solution to pass nameId, sessionIndex and nameIdFormat to ADFS in LogoutRequest?

Thank you for your attention!

Regards

[pitbulk]

Yes, I will need to use a newest php-saml version and store on session nameId, sessionIndex and nameIdFormat values and provide them to logout method as I did on that Wordpress plugin: https://github.com/onelogin/wordpress-saml/commit/482550716b107b73063698e4d7a4159322961d1f

[haroldyung]

Thank you for your reply and great work!

I would like to ask if the plugin moodle-saml will have update in future for integrating php-saml like wordpress-saml? Many thanks.