phpsaml icon indicating copy to clipboard operation
phpsaml copied to clipboard
verified publisher icon derricksmith

SLO Not working, invalid nameId

Open bcallar opened this issue 4 years ago • 2 comments

Hi, Thank you for this plugin, the SSO is working fine, i'm trying to implement SLO.

The configuration sounds correct, except I had to enable manually the sign of SLO Request in "inc/phpsaml.class.php" ( line 284, 'logoutRequestSigned' => true ). I think a config option could be interesting. (My IdP : okta, requires SLORequest signature)

My issue is more about the build of the SLORequest, and specifically the "nameId" and "nameIdFormat".

In theory, the nameid should be the username to sign out, but everytime, it is the idp_entity_id. image image

It is because during the slo process (and more precisely into the sloRequest() function), the self::$nameId is always unset (line 124), and default behaviour of "php-saml" library is to put idp_entity_id.

This is the exact same issue with nameIdFormat.

Could you tell me why "self::nameid" becomes unset, even when I logon using SSO successfully ? And how to correct it ?

Regards Ben

bcallar avatar Sep 02 '21 17:09 bcallar

Found a solution, by adding a new HOOK for "init_session" (that is called during Auth).

In setup.php, function plugin_init_phpsaml, after hook post_init :

// Hook for setting into session saml values
$PLUGIN_HOOKS['init_session']['phpsaml'] = 'plugin_init_session_phpsaml';

At the end of setup.php :

function plugin_init_session_phpsaml() {
   $phpsaml = new PluginPhpsamlPhpsaml();

   if(!empty($phpsaml::$nameid)) $_SESSION['plugin_phpsaml_nameid'] = $phpsaml::$nameid;
   if(!empty($phpsaml::$nameidformat)) $_SESSION['plugin_phpsaml_nameidformat'] = $phpsaml::$nameidformat;
   if(!empty($phpsaml::$sessionindex)) $_SESSION['plugin_phpsaml_sessionindex'] = $phpsaml::$sessionindex;
}

In phpsaml.class.php, function init, after self::init = true:

if(!empty($_SESSION['plugin_phpsaml_nameid'])) self::$nameid = $_SESSION['plugin_phpsaml_nameid'];
if(!empty($_SESSION['plugin_phpsaml_nameidformat'])) self::$nameidformat = $_SESSION['plugin_phpsaml_nameidformat'];
if(!empty($_SESSION['plugin_phpsaml_sessionindex'])) self::$sessionindex = $_SESSION['plugin_phpsaml_sessionindex'];

Now, SLO worked fine.

There is another issue, when enforcement is not true, SLORequest is never called because SSO=1 is not in URL. To solve this issue I added into setup.php, line 157 (including precedent modifications), into the condition of the if : || (!empty($_SESSION['plugin_phpsaml_nameid']))

Regards Ben

bcallar avatar Sep 02 '21 19:09 bcallar

I added these changes to Version 1.2.1. Take a look and let me know if this works for your configuration.

derricksmith avatar Jul 14 '22 19:07 derricksmith