Logout fails

Resolved Tachi
(@aytacbalci)

6 years, 10 months ago
I am using this plugin with my own SimpleSAMLphp setup.

If I go to my.wordpress.site/subdir/ and go to the login page and click on the Sign In button I get redirected to the SSO environment and after entering my credentials I’m logged in. So that part works flawless.

But when I try to logout from WordPress I’m redirected to the SSO environment with an http 403 error. When I go back one page (to my wordpress site) en logout again then I get an error from WordPress titled “Something went wrong.” and I’m presented with a page saying “Do you really want to log out?” When I click on the link I get redirected to the login page of WordPress.

What is causing this error? And how can I solve it? SimpleSAMLphp is in debug mode but shows no errors at all.
A workaround like a redirect to another url is acceptable, but I could not figure out how to do this.
- This topic was modified 6 years, 10 months ago by Tachi.

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author

(@danielbachhuber)

It’s hard to say what the error might be without having access to the environment. Is this a Pantheon site? If so, please submit a support ticket and we’d be happy to debug.

Thread Starter

Tachi

(@aytacbalci)

6 years, 10 months ago

Well, I got a debug log from the IdP. Could not make much sense out of it. I also do not know what to comment out to prevent sharing sensitive information. But here is an excerpt from what I’ve got mailed.

2018-06-14 12:22:44] DEBUG OAServlet.service() -> Processing: profiles request
[2018-06-14 12:22:44] DEBUG SingleLogout.processSAMLRequest() -> Binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
[2018-06-14 12:22:44] DEBUG SingleLogout.logXML() -> <?xml version="1.0" encoding="UTF-8"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://idp.domain.com/openaselect/profiles/saml2/sso/logout" ID="_6b3aba31af09bf2843fa7cef167e920b8931c73e39" IssueInstant="2018-06-14T10:22:44Z" Version="2.0">
   <saml:Issuer>https://my.domain.com/simplesaml/module.php/saml/sp/metadata.php/sp_name</saml:Issuer>
   <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="idp.domain.com">qxPNWW2KlYW2LYIq</saml:NameID>
   <samlp:SessionIndex>_-bglsZgoubUM6mV2CEhv7n06Ia_...(shortened)...bDnBDrse6U85aEgsUreG400wuWw</samlp:SessionIndex>
</samlp:LogoutRequest>

[2018-06-14 12:22:44] DEBUG SingleLogout.processSAMLRequest() -> LogoutRequest MUST be signed if the HTTP POST or Redirect binding is used
[2018-06-14 12:22:44] DEBUG SingleLogout.processSAMLRequest() -> Security error
com.alfaariss.oa.util.saml2.SAML2SecurityException: REQUEST_INVALID
        at com.alfaariss.oa.profile.saml2.profile.sso.SingleLogout.processSAMLRequest(Unknown Source)
        at com.alfaariss.oa.profile.saml2.profile.sso.SingleLogout.process(Unknown Source)
        at com.alfaariss.oa.profile.saml2.SAML2Profile.service(Unknown Source)
        at com.alfaariss.oa.OAServlet.service(Unknown Source)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:724)
[2018-06-14 12:22:47] DEBUG OAServlet.service() -> Processing: profiles request

This reply was modified 6 years, 10 months ago by Tachi.

Plugin Author

Daniel Bachhuber

(@danielbachhuber)

6 years, 10 months ago

Hi @aytacbalci,

Sorry, but it’s not clear to me what the issue is at this point.

Thread Starter

Tachi

(@aytacbalci)

6 years, 10 months ago

Hi Daniel,
The issue is that logout from WP doesn’t work flawless and I don’t have a Pantheon site to open a support ticket. That’s why I posted an excerpt of debug messages from my IdP hoping you could tell me what is goging wrong in my setup.

At the moment when I hit logout in WP your plugin redirects me to the IdP, which returns an http 403 (forbidden) error.
My IdP suggested as a workaround to use a static page on the IdP as a redirect:

So my question would be: How would I change your plugin to use a redirect to a static page instead of a redirect to the WP login page?
Cheers, Aytac

Plugin Author

Daniel Bachhuber

(@danielbachhuber)

6 years, 10 months ago

Here’s our logout implementation:


public function action_wp_logout() {
	if ( 'internal' === self::get_option( 'connection_type' ) ) {
		$internal_config = self::get_option( 'internal_config' );
		if ( empty( $internal_config['idp']['singleLogoutService']['url'] ) ) {
			return;
		}
	}
	$this->provider->logout( add_query_arg( 'loggedout', true, wp_login_url() ) );
}

If you continue using SimpleSAMLPhp, you’d need to figure out how to change its implementation of the logout() method. There may be a configuration variable you can use within SimpleSAMLPhp.

If you switch to the bundled OneLogin SAML implementation, you can specify an idp.singleLogoutService.url configuration parameter directly from the WordPress filter you use to configure WP SAML Auth.

Hope this helps!

This reply was modified 6 years, 10 months ago by Daniel Bachhuber.

Thread Starter

Tachi

(@aytacbalci)

6 years, 10 months ago

I’ve found the solution!
I did not use the OneLogin SAML implementation. The solution had to do with the following two lines from the IdP:

[2018-06-14 12:22:44] DEBUG SingleLogout.processSAMLRequest() -> <strong>LogoutRequest MUST be signed</strong> if the HTTP POST or Redirect binding is used
[2018-06-14 12:22:44] DEBUG SingleLogout.processSAMLRequest() -> Security error

Unfortunately, the documentation at simpleSAMLphp.org is not very clear for a newbie.
In your simpleSAMLphp folder look for /config/authsources.php and add the following line 'sign.authnrequest' => TRUE, somewhere in the array(…); like below:

'default-sp' => array(
     'saml:SP',
     'sign.authnrequest' => TRUE,
     'entityID' => null,
     [more lines of code]
);

I hope this will be also useful for others.

This reply was modified 6 years, 10 months ago by Tachi.
This reply was modified 6 years, 10 months ago by Tachi. Reason: readability

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Logout fails’ is closed to new replies.

Tags