Logout issue with two Service Providers

Question

Logout issue with two Service Providers

Closed this issue 3 years ago · 12 comments

So I have one Laravel site acting as IdP, and two other Laravel sites Service Providers (using laravel-saml2 package). here is related snippets in samlidp.php file:

'sp' => [

        'aHR0cHM6Lyblablablabla' => [
            'destination' => 'https://sp1.test/saml2/idp/acs',
            'logout' => 'https://sp1.test/saml2/idp/sls',
        ],
        'aHR0cHM6Ly90ZXN0Lnblablabla' => [
            'destination' => 'https://sp2.test/saml2/idp/acs',
            'logout' => 'https://sp2.test/saml2/idp/sls',
        ]
],
'sp_slo_redirects' => [
        'https://sp1.test' => 'https://sp1.test',
        'https://sp2.test' => 'https://sp2.test'
    ],

when I tried to log out on the SP1 site, the logout URL on the browser appeared to be 'https://sp2.test/saml2/idp/sls' instead of the correct one to SP1 I have in the config. With this wrong url I got a 404 error. I tried to clear cache/config on each site several times, the problem persists unless I just keep SP1 in the samlidp.php file. but in reality, I want to use the same IdP for several applications/sites. Any ideas about what might go wrong? thanks!

Answer 1 · 2022-01-26T09:18:25.000Z

I can't tell for sure, but it looks like both of your SP hashes are the same.

Answer 2 · 2022-01-26T14:40:11.000Z

I used php artisan samlidp:sp command to generate SPs for the config. Is it because both acs URLs are very similar?

Answer 3 · 2022-01-26T14:41:23.000Z

@sprklinginfo yes, that is possible.

Answer 4 · 2022-01-26T15:08:27.000Z

any suggestion on how to fix the problem? though /saml2/idp/sls part is similar on each SP, but the domain for each SP is different. I also used a base64-encode/decode tool to double-check the hash for each SP, it looks correct. I also enabled another site to the SP array, it never gives me the correct SP, always throwing me to the other two incorrect ones.

Answer 5 · 2022-01-27T10:10:45.000Z

@sprklinginfo - can you show the whole hash? when I do it, I get these:
aHR0cHM6Ly9zcDEudGVzdC9zYW1sMi9pZHAvYWNz
aHR0cHM6Ly9zcDIudGVzdC9zYW1sMi9pZHAvYWNz
The only difference is the E becomes an I in the 15th position

Answer 6 · 2022-01-27T15:29:17.000Z

@sprklinginfo - can you show the whole hash? when I do it, I get these: aHR0cHM6Ly9zcDEudGVzdC9zYW1sMi9pZHAvYWNz aHR0cHM6Ly9zcDIudGVzdC9zYW1sMi9pZHAvYWNz The only difference is the E becomes an I in the 15th position

well, here is my actual settings:

'sp' => [
        'aHR0cHM6Ly9pbmZ5b20tZGVtby50ZXN0L2RvY3NpZ24vYWNz' => [
            'destination' => 'https://infyom-demo.test/docsign/acs',
            'logout' => 'https://infyom-demo.test/docsign/sls',
        ],
        'aHR0cHM6Ly90YXh3b3JrMi50ZXN0L2RvY3NpZ24vYWNz' => [
            'destination' => 'https://taxwork2.test/docsign/acs',
            'logout' => 'https://taxwork2.test/docsign/sls',
        ],
    ],
    'sp_slo_redirects' => [
        'https://infyom-demo.test' => 'https://infyom-demo.test',
        'https://taxwork2.test' => 'https://taxwork2.test',
    ]

when I am on taxwork2.test to log out, it always redirects me to infyom-demo.test instead. 'docsign' is my IdP name, and I didn't use {routesPrefix} of 'laravel-saml2' package.

Answer 7 · 2022-01-27T15:53:42.000Z

@sprklinginfo the way SLO works is when logout is initiated, the IdP "hits" the logout routes for each SP. For some reason on infyom-demo.test it is not redirecting back to the IdP. It is difficult to say why with just your config settings.

Answer 8 · 2022-01-27T17:59:25.000Z

@upwebdesign, yes, I understand that 'the IdP "hits" the logout routes for each SP', but I think the issue now is that when I am on taxwork2.test, the IdP is supposed to find out the logout route for this SP is https://taxwork2.test/docsign/sls based on the config, and hits this logout route. but the fact now is that the IdP thinks that the logout route for taxwork2 is https://infyom-demo.test/docsign/sls which is incorrect.

Answer 9 · 2022-01-27T18:14:08.000Z

@upwebdesign , in addition to the logout issues I have on my SP sites, I am having logout issue on the IdP site too. The IdP site (laravel 7) is an existing application using Laravel UI for user authentication (default web guard). Users can login/logout to perform some services. I use laravel-samlidp to extend this site to provide the IdP service to other sites (like taxwork2). On the IdP site, I can login without any issues. but when I logout, saml/logout is also called as the package has a listener for logout event ('guards' => ['web'] in samlidp.php), then it tries to hit SP's sls. Are there any ways I can prevent saml/logout to be triggered if the logout is coming for native users on the IdP site? currently when I logout on the IdP site, the logout is interrupted and hangs there, on the developer console it shows errors:

Access to XMLHttpRequest at 'https://taxwork2.test/docsign/sls?idp=https%3A%2F%2Fedoc.test&SAMLRequest=nVLNa8IwFL%2F7V5SAR81HW9uGtiKIILgdtrHDLpI2qStrE5eXbv75i52O7eJhkNN7v09e8uWp74IPZaE1ukB0TtCynOQ7czCDe1DvgwIXeIiGAg1WcyOgBa5Fr4C7mj%2Bu7naczQk%2FWuNMbToUbNcF2qsmDpNMhhHLCGFpRquskYSFhEU1TbOK1rSqq0SlCQqer%2BZex9MBBrXV4IR2fkQYmxE6Y8kTTXgc8jB%2BQcHah2q1cCPr1bkjcIydOH0a%2B8bmzm%2BxNDW0B42hg2Urj8WImoarKdv4p%2Fx6xKEyB9F3fHS130X5eXK7rQBQ9myPyqv9jyQ%2B03GvnJDCiRz%2F0r%2BY3Xu97fofZsHG2F642%2FDzpJWzZoRyZ4WGVmnfdB8vqL%2BLVBkTSmaxpKpasKiK6zRKyYJJQmuRNTFj6SX1d9Ayx3%2B%2BQzn5Ag%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=1BVhI9Po8prUSY4pekTfjCBMBEycBe3wWLkhKDKQpSgJ3SGX1leCzK6vD%2BCuweOKNN9Nuvl1bvX1iCgTETDp%2FzT%2B0RUtpFUWwddrp%2BH2DX7d9OPBKqbo7EgDokDLzXb%2BseRhFViAzdbK1M6iY7OMO7But8dMhrNr2%2Bcpe0BcFL%2FBeiSx5O2Ab2qrO6ym%2BOtjcqgsw%2BB55HmDi9km%2B2ui%2BMK4RNTsPNRMfOw3Ttf4JbpveR1SSS0tqhHtVQMUDqLYmG5qBUV9piY0CLo8jxJ7f0vnFTOVcfZCaNXfcVGWvmcaMarhVOS52NGVj%2FhArtrUWCu%2FYQkKHR3KgsI3ADuuqA%3D%3D' (redirected from 'https://edoc.test/logout') from origin 'https://edoc.test' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

the https://edoc.test/ is my IdP's domain.

Answer 10 · 2022-01-27T18:55:58.000Z

@sprklinginfo you do have the option to override the default SamlLogout listener and write your own. The LogoutController, however, is what loops through your SP's to get your SLO URL's. Sorry I cannot be more helpful with what you are describing. There are many ways to use this package and SAML is quite finicky and unless I were fully involved with your projects, it is difficult to debug such issues.

Answer 11 · 2022-03-16T01:32:09.000Z

@sprklinginfo Hi I got the same issue "Access-Control-Allow-Origin" as you. May I ask if you fixed this issue already?

Answer 12 · 2022-03-16T21:21:51.000Z

@TomTangXD, unfortunately, no. but it is not consistent. On the IdP site, sometimes it is logged out as expected, sometimes it redirects me to the SP site.