When logging out the sessionIndex and nameID is not passed to the IdP

  • Resolved kirkyedinak

    (@kirkyedinak)


    3 years, 3 months ago

    I’m using the built in OneLogin library to connect to an external SimpleSAMLPHP service provider. I am able to successfully log in, however when logging out, I receive the following status: status:Requester

    My IDP provided the following information from their logs.

    ERROR: IDPSingleLogout.processLogoutRequest: session index are null in logout request

    In the OneLogin LogoutRequest.php file provided with the WP SAML Auth plugin, I see the constructor function accepts NameID and Session Index. Is there a setting I can configure that will set the NameID and Session Index, and pass those along to the logoutrequest constructor?

    public function __construct(\OneLogin\Saml2\Settings $settings, $request = null, $nameId = null, $sessionIndex = null, $nameIdFormat = null, $nameIdNameQualifier = null, $nameIdSPNameQualifier = null)

    Currently the OneLogin logout request looks similar to this:

    <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="ONELOGIN_dc79fc4f387e8ab780859930499a2aa3825f4197"
                     Version="2.0"
                     IssueInstant="2021-08-12T21:04:43Z"
                     Destination="https://myidp.com:443/openam/IDPSloRedirect/metaAlias/my-online-idp">
  <saml:Issuer>https://myserviceprovider.com/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">my-online-idp</saml:NameID>

</samlp:LogoutRequest>

    What actually works if I used a local SimpleSAMLphp install instead of Internal OneLogin:

    <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="_b425c20bdff89aa28644dca50d79072b22bcce499a"
                     Version="2.0"
                     IssueInstant="2021-08-12T21:31:10Z"
                     Destination="https://myidp.com:443/openam/IDPSloRedirect/metaAlias/my-online-idp">
  <saml:Issuer>https://myserviceprovider.com/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
  <saml:NameID NameQualifier="my-online-idp"
               SPNameQualifier="https://myserviceprovider.com/simplesaml/module.php/saml/sp/metadata.php/default-sp"
               Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
  <samlp:SessionIndex>s2651e48d54629131e4dd32e1bae5e8059295b6706</samlp:SessionIndex>
</samlp:LogoutRequest>

    What options are available to get the Session Index and the user email in the OneLogin logout request?

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Great question, @kirkyedinak! I appreciate all of the detail you’ve included ??

    Can you try out the new filter I’m considering with this pull request and let me know if it meets your needs?

    Thread Starter kirkyedinak

    (@kirkyedinak)

    @danielbachhuber thanks for the quick reply. I’ve modified the action_wp_logout function with your proposed changes, and I’ve ensured my singleLogoutService url is set. Unfortunately the only change in the logout request that I see is in the RelayState. The logout request remained as it was in my previous post.

    SimpleSAMLphp is reporting the following:
    Unsuccessful logout. Status was: SimpleSAML\Module\saml\Error: Requester

    This is most likely due to the missing Session Index.

    My apologies if I’m missing something here.

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    In addition to modifying the action_wp_logout method, you’ll also need to add a filter to wp_saml_auth_internal_logout_args. Can you share the filter you added?

    Thread Starter kirkyedinak

    (@kirkyedinak)

    Here is my filter function. The logout status is being reported with: Session index is not valid

    function wpsax_filter_internal_logout_args( $args ) {
    session_start();
    $args['nameId']     = '[email protected]';
    $args['sessionIndex']  = session_id();
    return $args;
}

    How do I properly get the Session Index?

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Ah, thanks for sharing that.

    session_id() will only return a value if a PHP session has been started with session_start() (reference). If you haven’t called session_start(), it will return an empty value.

    I’m not quite sure session_id() is the correct function to use to generate a SessionIndex, however.

    Were you provided additional documentation on how to generate the sessionIndex value? This Auth0 documentation seems to imply the value is included in the original logging-in response.

    Thread Starter kirkyedinak

    (@kirkyedinak)

    Thanks for the link to auth0 documentation. That got me thinking…

    In your class-wp-saml-auth.php file, I modified do_saml_authentication().

    I added the following code at line 259

    session_start();
$_SESSION['sessionIndex'] = $provider->getSessionIndex();

    My filter function now looks like this:

    function wpsax_filter_internal_logout_args( $args ) {
    session_start();
    $args['sessionIndex']  = $_SESSION['sessionIndex'];
    return $args;
}

    The SessionIndex is captured from the login response and stored in a session variable and is now included in the logout request.

    If you find a better solution, please let me know.

    Thread Starter kirkyedinak

    (@kirkyedinak)

    To include both the NameID and SessionIndex in the logout request you could make this change. In your class-wp-saml-auth.php file, I modified do_saml_authentication().

    I added the following code at line 259

    session_start();
$_SESSION['sessionIndex'] = $provider->getSessionIndex();
$_SESSION['nameId'] = $provider->getNameId();

    My filter function now looks like this:

    function wpsax_filter_internal_logout_args( $args ) {
    session_start();
    $args['nameId']         = $_SESSION['nameId'];
    $args['sessionIndex']   = $_SESSION['sessionIndex'];
    return $args;
}

    I now receive a status:Success in the LogoutResponse.

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Great! Glad you were able to figure a solution out.

    I’ve tagged WP SAML Auth v1.2.4 with the wp_saml_auth_internal_logout_args filter.

    Rather than directly modifying class-wp-saml-auth.php at line 259, I think you can hook onto the wp_saml_auth_pre_authentication filter instead:

    add_filter(
	'wp_saml_auth_pre_authentication',
	function ( $retval ) {
		session_start();
		$_SESSION['sessionIndex'] = $provider->getSessionIndex();
		$_SESSION['nameId'] = $provider->getNameId();
		return $retval;
	}
);
    Thread Starter kirkyedinak

    (@kirkyedinak)

    Thanks for suggestion the filter. The getSessionIndex() and getNameId() calls where throwing errors. That got me digging around a bit more and I found wp_saml_auth_attributes.

    I ended up using this filter:

    add_filter(
	'wp_saml_auth_attributes',
	function ( $attributes, $provider ) {
		session_start();
		$_SESSION['sessionIndex'] = $provider->getSessionIndex();  
		$_SESSION['nameId'] = $provider->getNameId();
		return $attributes;
	}, 10, 2 );

    The provider array holds a ton of useful information. A user should look there if they need any other information returned from the authentication.

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Ah, that’s what I get for not testing my code snippet ??

    I like your version much better!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘When logging out the sessionIndex and nameID is not passed to the IdP’ is closed to new replies.