SAML is creating error for local user log out

hi
I have combined users from ldap and local forum users …when local forum user logs out he receives following error

Sorry, moving this into support we are going to need a lot more information here.

2 Likes

Can you check if you have

DISCOURSE_SAML_LOG_AUTH: true
DISCOURSE_SAML_DEBUG_AUTH: true

and see what is going on in /logs?

hi
i also cant log in via saml but that is on another thread…but local users expiriance logout with an error :smiley: …in previous forum installation saml was working and ldap and saml are be ok as other services run smoothly. so i guess i might be missing something on settings

there is also error : SiteSetting.enable_personal_messages … and that is all that is in logs. its freshly reinstalled…

i’ve now also ticked log_auth and did few logins in and out and i’ve got following error:


Message (5 copies reported)

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The status code of the Response was not Success

Backtrace

/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:163:in `log'
/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:486:in `fail!'
/var/www/discourse/plugins/discourse-saml/gems/3.1.3/gems/omniauth-saml-1.9.0/lib/omniauth/strategies/saml.rb:56:in `rescue in callback_phase'
/var/www/discourse/plugins/discourse-saml/gems/3.1.3/gems/omniauth-saml-1.9.0/lib/omniauth/strategies/saml.rb:42:in `callback_phase'
/var/www/discourse/plugins/discourse-saml/lib/discourse_saml/saml_omniauth_strategy.rb:35:in `callback_phase'
/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:238:in `callback_call'
/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:189:in `call!'
/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:192:in `call!'
/var/www/discourse/vendor/bundle/ruby/3.1.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'

Even if i log in as local user SAML wants to log out the local user since it cant find user in LDAP i get error.

hi ive got SAML working it logs in and out users but it also wants to log out user who isnt logged in with SAML producing an error page upon users logout.

Hi
as users are combined …ppl from team log in with SAML and others log in localy to forum. When people log in without SAML upon log out they receive error and i get following in logs upon local user logout.

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The status code of the Response was not Success 
omniauth-1.9.2/lib/omniauth/strategy.rb:163:in `log'
omniauth-1.9.2/lib/omniauth/strategy.rb:486:in `fail!'
/var/www/discourse/plugins/discourse-saml/gems/3.2.2/gems/omniauth-saml-1.9.0/lib/omniauth/strategies/saml.rb:56:in `rescue in callback_phase'
/var/www/discourse/plugins/discourse-saml/gems/3.2.2/gems/omniauth-saml-1.9.0/lib/omniauth/strategies/saml.rb:42:in `callback_phase'
/var/www/discourse/plugins/discourse-saml/lib/discourse_saml/saml_omniauth_strategy.rb:35:in `callback_phase'
omniauth-1.9.2/lib/omniauth/strategy.rb:238:in `callback_call'
omniauth-1.9.2/lib/omniauth/strategy.rb:189:in `call!'
omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
omniauth-1.9.2/lib/omniauth/strategy.rb:192:in `call!'
omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
omniauth-1.9.2/lib/omniauth/strategy.rb:192:in `call!'
omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
omniauth-1.9.2/lib/omniauth/strategy.rb:192:in `call!'
omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
omniauth-1.9.2/lib/omniauth/strategy.rb:192:in `call!'
omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
omniauth-1.9.2/lib/omniauth/strategy.rb:192:in `call!'
omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
omniauth-1.9.2/lib/omniauth/builder.rb:45:in `call'
/var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:53:in `call'
rack-2.2.7/lib/rack/tempfile_reaper.rb:15:in `call'
rack-2.2.7/lib/rack/conditional_get.rb:27:in `call'
rack-2.2.7/lib/rack/head.rb:12:in `call'
actionpack-7.0.4.3/lib/action_dispatch/http/permissions_policy.rb:38:in `call'
/var/www/discourse/lib/content_security_policy/middleware.rb:12:in `call'
/var/www/discourse/lib/middleware/anonymous_cache.rb:367:in `call'
rack-2.2.7/lib/rack/session/abstract/id.rb:266:in `context'
rack-2.2.7/lib/rack/session/abstract/id.rb:260:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/cookies.rb:704:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport-7.0.4.3/lib/active_support/callbacks.rb:99:in `run_callbacks'
actionpack-7.0.4.3/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/show_exceptions.rb:26:in `call'
logster-2.12.2/lib/logster/middleware/reporter.rb:43:in `call'
railties-7.0.4.3/lib/rails/rack/logger.rb:40:in `call_app'
railties-7.0.4.3/lib/rails/rack/logger.rb:27:in `call'
/var/www/discourse/config/initializers/100-quiet_logger.rb:20:in `call'
/var/www/discourse/config/initializers/100-silence_logger.rb:29:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/request_id.rb:26:in `call'
/var/www/discourse/lib/middleware/enforce_hostname.rb:24:in `call'
rack-2.2.7/lib/rack/method_override.rb:24:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/executor.rb:14:in `call'
rack-2.2.7/lib/rack/sendfile.rb:110:in `call'
actionpack-7.0.4.3/lib/action_dispatch/middleware/host_authorization.rb:131:in `call'
rack-mini-profiler-3.1.0/lib/mini_profiler.rb:413:in `call'
message_bus-4.3.2/lib/message_bus/rack/middleware.rb:60:in `call'
/var/www/discourse/lib/middleware/request_tracker.rb:228:in `call'
railties-7.0.4.3/lib/rails/engine.rb:530:in `call'
railties-7.0.4.3/lib/rails/railtie.rb:226:in `public_send'
railties-7.0.4.3/lib/rails/railtie.rb:226:in `method_missing'
rack-2.2.7/lib/rack/urlmap.rb:74:in `block in call'
rack-2.2.7/lib/rack/urlmap.rb:58:in `each'
rack-2.2.7/lib/rack/urlmap.rb:58:in `call'
unicorn-6.1.0/lib/unicorn/http_server.rb:634:in `process_client'
unicorn-6.1.0/lib/unicorn/http_server.rb:739:in `worker_loop'
unicorn-6.1.0/lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
unicorn-6.1.0/lib/unicorn/http_server.rb:143:in `start'
unicorn-6.1.0/bin/unicorn:128:in `<top (required)>'
/var/www/discourse/vendor/bundle/ruby/3.2.0/bin/unicorn:25:in `load'
/var/www/discourse/vendor/bundle/ruby/3.2.0/bin/unicorn:25:in `<main>'

the folowing screen welcomes local user that loged out.

We came across something similar on a forum where SAML was in use previously and was now disabled. However, the saml_slo_target_url was still configured and Discourse kept using it.

So the fix should be that that is only being used when the SAML plugin is enabled AND the user has originally logged in with SAML.