Hi there,
we have the following setup:
Official Discourse 2.5.0 ([ 3f7658cc6e ]) with the discourse-saml plugin (commit 230a58b),
Keycloak (10.0.2) as Identity Provider
Our Identity Provider is set up to use the url https://discourse.our-domain.xxx/auth/saml/slo
as Logout Service POST Binding URL. Our login process works flawless. Using the logout button in discourse cancels our IdP session too.
The problem exists when using the logout functionality of the IdP. Discourse does not cancel the session. The forum receives the request, but does not seem to handle it properly. The user stays logged in and we get an error in the discourse log.
The username for the following logs is test
.
Started POST "/auth/saml/slo" for 127.0.0.1 at 2020-07-09 18:29:33 +0000
OmniAuth::Strategies::SAML::ValidationError (SAML failed to process LogoutRequest)
/var/www/discourse/plugins/discourse-saml/gems/2.6.6/gems/omniauth-saml-1.9.0/lib/omniauth/strategies/saml.rb:189:in `handle_logout_request'
The if condition leading to the exception is the following (saml.rb):
if logout_request.is_valid? &&
logout_request.name_id == session["saml_uid"]
code for debug out
STDERR.puts '*************************************************************************'
STDERR.puts 'raw_request:'
STDERR.puts raw_request
STDERR.puts '*************************************************************************'
STDERR.puts 'logout_request.is_valid?'
STDERR.puts logout_request.is_valid?
STDERR.puts '*************************************************************************'
STDERR.puts 'logout_request.name_id'
STDERR.puts logout_request.name_id
STDERR.puts '*************************************************************************'
STDERR.puts 'session[saml_uid]'
STDERR.puts session["saml_uid"]
STDERR.puts '*************************************************************************'
We added the debug output in the saml.rb (line 181) and received the following values:
*************************************************************************
raw_request:
raw request (decoded with base64)
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://discourse.test.our-domain.xxx/auth/saml/slo" ID="ID_ee6ef1f7-a269-443f-9942-1311b2c09636" IssueInstant="2020-07-09T19:20:27.882Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ima.test.our-domain.xxx/auth/realms/master</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#ID_ee6ef1f7-a269-443f-9942-1311b2c09636">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>nbeIwX97u+NNRf4KswI95oSmI2w=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>[...]</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>[...]</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>[...]</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>[...]</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test</saml:NameID>
<samlp:SessionIndex>393fc3ab-6a18-4b8e-89a5-a005fc48f7cf::36a71dc0-22a0-4b72-be02-68639bedea06</samlp:SessionIndex>
</samlp:LogoutRequest>
*************************************************************************
logout_request.is_valid?
true
*************************************************************************
logout_request.name_id
test
*************************************************************************
session[saml_uid]
*************************************************************************
Can anybody help us? It does not seem like a configuration problem to us.
Thanks in advance
Max