SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE seems to be ignored

[neshtea]

Description

First of all, thanks for providing this docker image, it helps a lot!

It is my understanding that when logging out a user via the web interface, simplesaml should send a logout request to the configured SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE.

Observation

The IdP contacts the acs but not the sls.

Setup

I've got an application running as the service provider, configured like this (excerpt from my docker-compose.yml file:

test-saml-idp:
    image: kristophjunge/test-saml-idp:1.15
    container_name: saml-idp
    ports:
      - "8080:8080"
      - "8443:8443"
    environment:
      SIMPLESAMLPHP_SP_ENTITY_ID: "http://localhost:3449/saml/metadata"
      SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "http://localhost:3449/saml/login"
      SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: "http://localhost:3449/saml/logout"
    volumes:
      - ./docker-saml/users.php:/var/www/simplesamlphp/config/authsources.php:ro

Login works as expected. If the login is successful, the /saml/login endpoint is contacted carrying the expected data.
On logout, my service provider is not contacted. Through other means, I verified that in principle, /saml/logout receives requests and does "the right thing".

Request

It would help if you could verify one of these assertions:

1. My setup is wrong (and perhaps how to fix it).
2. My assumption that the IdP contacts the SP via /saml/logout is wrong.
3. This is indeed a bug.

Thank you!

[mattbaumann1]

I am running into the same issues here. @neshtea, did you ever get a resolution here?

Unhandled exception
An unhandled exception was thrown.

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator:

0126c27d34

Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: saml20-sp-remote/'comp1'['SingleLogoutService']:: Expected array or string.
Backtrace:
7 lib/SimpleSAML/Configuration.php:1123 (SimpleSAML_Configuration::getEndpoints)
6 lib/SimpleSAML/Configuration.php:1191 (SimpleSAML_Configuration::getEndpointPrioritizedByBinding)
5 modules/saml/lib/IdP/SAML2.php:515 (sspmod_saml_IdP_SAML2::sendLogoutResponse)
4 lib/SimpleSAML/IdP.php:465 (SimpleSAML_IdP::finishLogout)
3 lib/SimpleSAML/IdP/TraditionalLogoutHandler.php:47 (SimpleSAML\IdP\TraditionalLogoutHandler::logoutNextSP)
2 lib/SimpleSAML/IdP/TraditionalLogoutHandler.php:83 (SimpleSAML\IdP\TraditionalLogoutHandler::startLogout)
1 modules/core/www/idp/resumelogout.php:12 (require)
0 www/module.php:135 (N/A)

[neshtea]

I am running into the same issues here. Did you ever get a resolution here?

No, we did not. We stopped investigating pretty soon and switched our development setup over to [Keycloak](https://www.keycloak.org).

[mattbaumann1]

@neshtea , thanks for the quick response. I think that isn't going to work for our purposes either. We have a different set up going for production, but we were looking for something other than OKTA or OneLogin for development and testing of our SSO.

[mattbaumann1]

I was able to get the logout working after setting the SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE to the return URL.

[jtl3d]

@mattbaumann1 I am running into this and I have SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE set to the correct URL, which appears when I view the metadata in the SimpleSAMLphp web interface. When I use its web interface to log out, I am not getting any hits on the SLO endpoint for my SP. Is that how you tested logging out? How did you get it to work, if so? Thanks!

[mattbaumann1]

@jtl3d in all honesty, I don't think we ever got this fully running. While working on this some other more pressing issues came up with the software and I focussed on putting out those fires. Iwas thinking about returning to it since I was now more confident in the problem, but then I transferred jobs. If you do find an answer for your issues please return here to let us know. I might need to return to this same issue in my new position in the next year or two.

[wesuuu]

In case anyone else runs into this issue, I was able to get around it by setting SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE to the login page of my test site (e.g. localhost:8000/).

My understanding that after you redirect to http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php in your SP, the test-saml-idp container redirects to the url set by SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE

[jtl3d]

I think I got it working by adding an additional SP, logging in via the example_user_pass source and initiating a logout request from the new SP. I think it then calls the SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE with a logout request from the IdP.

In order to add new SPs, I had to map a volume like so:

-v /path/to/directory/sps.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php

It looks like this by default:

<?php
/**
 * SAML 2.0 remote SP metadata for SimpleSAMLphp.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
 */

$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
);

So I added an additional one with a different entityID.