Discourse-saml: SLO does not cancel session

Hi there,

we have the following setup:
Official Discourse 2.5.0 ([ 3f7658cc6e ]) with the discourse-saml plugin (commit 230a58b),
Keycloak (10.0.2) as Identity Provider

Our Identity Provider is set up to use the url https://discourse.our-domain.xxx/auth/saml/slo as Logout Service POST Binding URL. Our login process works flawless. Using the logout button in discourse cancels our IdP session too.

The problem exists when using the logout functionality of the IdP. Discourse does not cancel the session. The forum receives the request, but does not seem to handle it properly. The user stays logged in and we get an error in the discourse log.

The username for the following logs is test.

Started POST "/auth/saml/slo" for 127.0.0.1 at 2020-07-09 18:29:33 +0000                                                                                                                            
OmniAuth::Strategies::SAML::ValidationError (SAML failed to process LogoutRequest)                                                                                                                  
/var/www/discourse/plugins/discourse-saml/gems/2.6.6/gems/omniauth-saml-1.9.0/lib/omniauth/strategies/saml.rb:189:in `handle_logout_request'

The if condition leading to the exception is the following (saml.rb):

if logout_request.is_valid? &&
     logout_request.name_id == session["saml_uid"]
code for debug out
STDERR.puts '*************************************************************************'
STDERR.puts 'raw_request:'                                                             
STDERR.puts raw_request                                                                
STDERR.puts '*************************************************************************'
STDERR.puts 'logout_request.is_valid?'                                                 
STDERR.puts logout_request.is_valid?                                                   
STDERR.puts '*************************************************************************'
STDERR.puts 'logout_request.name_id'                                                   
STDERR.puts logout_request.name_id                                                     
STDERR.puts '*************************************************************************'
STDERR.puts 'session[saml_uid]'                                                        
STDERR.puts session["saml_uid"]                                                        
STDERR.puts '*************************************************************************'

We added the debug output in the saml.rb (line 181) and received the following values:

*************************************************************************
raw_request:
raw request (decoded with base64)
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://discourse.test.our-domain.xxx/auth/saml/slo" ID="ID_ee6ef1f7-a269-443f-9942-1311b2c09636" IssueInstant="2020-07-09T19:20:27.882Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ima.test.our-domain.xxx/auth/realms/master</saml:Issuer>
  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <dsig:Reference URI="#ID_ee6ef1f7-a269-443f-9942-1311b2c09636">
        <dsig:Transforms>
          <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <dsig:DigestValue>nbeIwX97u+NNRf4KswI95oSmI2w=</dsig:DigestValue>
      </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>[...]</dsig:SignatureValue>
    <dsig:KeyInfo>
      <dsig:KeyName>[...]</dsig:KeyName>
      <dsig:X509Data>
        <dsig:X509Certificate>[...]</dsig:X509Certificate>
      </dsig:X509Data>
      <dsig:KeyValue>
        <dsig:RSAKeyValue>
          <dsig:Modulus>[...]</dsig:Modulus>
          <dsig:Exponent>AQAB</dsig:Exponent>
        </dsig:RSAKeyValue>
      </dsig:KeyValue>
    </dsig:KeyInfo>
  </dsig:Signature>
  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test</saml:NameID>
  <samlp:SessionIndex>393fc3ab-6a18-4b8e-89a5-a005fc48f7cf::36a71dc0-22a0-4b72-be02-68639bedea06</samlp:SessionIndex>
</samlp:LogoutRequest>

*************************************************************************
logout_request.is_valid?           
true                                          
*************************************************************************
logout_request.name_id
test
*************************************************************************
session[saml_uid]
                                                                       
*************************************************************************

Can anybody help us? It does not seem like a configuration problem to us.

Thanks in advance

Max

We’re not handling the saml_uid session value in our plugin. It’s handled by the omniauth-saml gem itself. So I’m not sure about why you have an empty value in session["saml_uid"]. You may need to report the issue in omniauth gem.

Also, none of the customers have reported an issue in SLO yet.

1 Like

I have recognized the same thing:

  • 2 applications (discourse and another one. lets name it X) connected to keycloak with SAML.
  • Logout on discourse. The user is also logged out on X and can’t do anything there.
  • Logout on X. The session on keycloak is gone but the user stays online in discourse

Even a browser page reload on discourse does not validate, that the saml auth is gone (= user is logged out).

I would expect that the user is logged out on discourse, too.
Does discourse check the saml auth on keycloak?
When will it do that?

Would it be possible to validate if the saml session is still alive? See answer above @vinothkannans