Logout function not working

[parakrama]

Hi

SSO function works perfectly fine , but when user try to signout from redmine , its not working

saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redminesso.ihk.com/auth/saml/callback", # The redmine application hostname
    :issuer                         => "https://redminesso.ihk.com",                 # The issuer name
    :idp_sso_target_url             => "https://172.16.2.14:9443/samlsso", # SSO login endpoint
    :idp_cert_fingerprint           => "6B F8 E1 36 EB 36 D4 A5 6E A0 5C 7A E4 B9 A4 5B 63 BF 97 5D", # SSO ssl certificate fingerprint
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :signout_url                    => "https://172.16.2.14:9443/samlsso",
    :idp_slo_target_url             => "https://172.16.2.14:9443/samlsso",
    :name_identifier_value          => "mail", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
       :login      => 'http://wso2.org/claims/emailaddress',
       :firstname  => 'http://wso2.org/claims/givenname',
       :lastname   => 'http://wso2.org/claims/lastname',
       :mail       => 'http://wso2.org/claims/emailaddress'
    }

}

  config.on_login do |omniauth_hash, user|
    # Implement any hook you want here
  end
end

Authentication Saml response it properly have the Session index value

 </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-05-14T13:37:03.639Z"
                          NotOnOrAfter="2016-05-14T13:42:03.639Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://redminesso.ihk.com</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2016-05-14T13:37:03.641Z"
                              SessionIndex="2fffb2d6-38b9-453a-ac73-e99a4bb06487"
                              >
            <saml2:AuthnContext>

But when generating the Logout request SAML response dont have the Session index value

<samlp:LogoutRequest Destination="https://172.16.2.14:9443/samlsso"
                     ID="_eb506f40-fc06-0133-8f7c-0050569a3be9"
                     IssueInstant="2016-05-14T13:37:26Z"
                     Version="2.0"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     >
    <saml:Issuer>https://redminesso.ihk.com</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mail</saml:NameID>
</samlp:LogoutRequest>

And from the IDP side it print the following log

TID: [-1234] [] [2016-05-14 19:07:26,101] ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor} -  Session Index validation for Logout Request failed. Received: [null]. Expected: [2fffb2d6-38b9-453a-ac73-e99a4bb06487]

Can you please advice regarding this , is it due reconfiguration of saml.rb or its due to bug ?

[parakrama]

Hi
And one more thing ,

In logout request it need to send the users mail address in the filed

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">mail</saml:NameID>"     . 

instead of "mail"

Is there any reason for that ?

Thank You

[chrodriguez]

I'know, but there are some issues in the gems dependencies to be solved. I'll check them. Thanks for your help!

[rozmarbeka]

I configured the logout urls but if I click on logout link an AuthnRequest sent to SSO.

<samlp:AuthnRequest 
    AssertionConsumerServiceURL='http://issues.bud01.atlasoft.lan' 
    Destination='http://auth.bud01.atlasoft.lan/simplesaml/saml2/idp/SSOService.php' 
    ID='_11fac030-7f56-0134-5ce0-126d35dbd279' 
    IssueInstant='2016-10-28T16:04:03Z' 
    Version='2.0' 
    xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' 
    xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
    <saml:Issuer>http://issues.bud01.atlasoft.lan</saml:Issuer>
    <samlp:NameIDPolicy 
        AllowCreate='true' 
        Format='urn:oasis:names:tc:SAML:2.0:nameid-format:email'/>
</samlp:AuthnRequest>

Did you have similar issue or have any idea why?

[triplem]

I do have the same issue. I would accept a dirty workaround in which this field is always filled with the mail-field. This possible?

[pitbulk]

Hi @chrodriguez, If there is any issue related to ruby-saml, please let me know,

In order to execute a Single Logout Request with NameID and SessionIndex, all you need to do is to save in the session at the Assertion Consumer Service endpoint the SessionIndex, NameId value and NameIdFormat.

You can retrieve them using:

• sessionindex
• name_id
• name_id_format

Later when you are generating a LogoutRequest, you need to pass those stored values to the constructor by the settings object:

• settings.name_identifier_value
• settings.name_identifier_format
• settings.sessionindex

So in the sp_logout_request method, after getting a copy of the omniauth_saml_settings at settings, update that object with the values previously mentioned with the values stored on the session.

[chrodriguez]

I'am really busy by the moment... Can you contribute with the plugin writing the necessary code an creating a pull request?