You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use \SimpleSAML\Auth\Simple::login($authSourceId) for authn. During user authn, we save association with particular Relying Party (RP, Service Provider (SP) counterpart in SAML) using \SimpleSAML\Session::setData(...). We also register a static logout handler function using \SimpleSAML\Session::registerLogoutHandler(...).
In registered logout handler function we retrieve all saved RP associations and send an OIDC logout requests to them so that each RP can clear their local session.
Up to now, this all works fine - whenever I call $session->doLogout($authSourceId), registered logout handler gets called and logout requests to RPs are successfully sent.
However, I have problems with re-authentication. For instance, OIDC client can request authentication using promt=login parameter even if the user is already authenticated (similar to 'forceAuthn' in SAML).
So, when I get promt=login, I do authentication again using - \SimpleSAML\Auth\Simple::login($authSourceId). However, the problem is - in the process, it comes down to \SimpleSAML\Session::doLogin($authSourceId), and in that method there is a check
if (isset($this->authData[$authority])) {
// we are already logged in, log the user out first
$this->doLogout($authority);
}
So, the logout gets called, and again, my logout handler gets called which in turn sends logout requests to all RPs (which I don't actually want for re-authentication)...
In short, the problem is that if I try to re-authenticate (call login if user is already authenticated), session logout is called which in turn calls any session logout handlers registered (I didn't expect that logout would be called if I do re-authentication).
Describe the solution you'd like
I would like to implement logout solution that would gracefully do logout and re-authentication for any used protocol (SAML, CAS, OIDC... meaning If user logs out of SAML SP, it would also log him out of any OIDC RP, etc., and vice-versa).
Since SAML logout implementation part currently does not register logout handlers, but handles logout separately, I would like to at least achieve that my OIDC logout handlers only get called when the 'real logout' is initiated, and not for re-authentication. It seems to me that this would be possible if the 'session cleaning' needed for re-authentication would be implemented in a way separate from the 'real logout', so that any registered logout handler would not be called for re-authentication.
This way I guess I would at least be able to achieve that if user is logged in to SAML SP and OIDC RP, if he initiates logout using SAML, my logout handlers would be called and so he would be logged out of any OIDC RPs (however, if he initiates logout from OIDC, he would not be logged out from SAML SPs, since there is no SAML logout handler registration thingy....).
Describe alternatives you've considered
Since registered logout handlers get called in re-authentication scenarios (and since no arguments are passed to logout handlers for context reasons or similar), I currently do OIDC logout, that is send OIDC logout requests to RPs only if logout is initiated using OIDC protocol, which I guess is a shame...
Problem
I'm implementing logout for OpenID Connect (OIDC) module https://github.com/simplesamlphp/simplesamlphp-module-oidc/.
We use \SimpleSAML\Auth\Simple::login($authSourceId) for authn. During user authn, we save association with particular Relying Party (RP, Service Provider (SP) counterpart in SAML) using \SimpleSAML\Session::setData(...). We also register a static logout handler function using \SimpleSAML\Session::registerLogoutHandler(...).
In registered logout handler function we retrieve all saved RP associations and send an OIDC logout requests to them so that each RP can clear their local session.
Up to now, this all works fine - whenever I call $session->doLogout($authSourceId), registered logout handler gets called and logout requests to RPs are successfully sent.
However, I have problems with re-authentication. For instance, OIDC client can request authentication using promt=login parameter even if the user is already authenticated (similar to 'forceAuthn' in SAML).
So, when I get promt=login, I do authentication again using - \SimpleSAML\Auth\Simple::login($authSourceId). However, the problem is - in the process, it comes down to \SimpleSAML\Session::doLogin($authSourceId), and in that method there is a check
So, the logout gets called, and again, my logout handler gets called which in turn sends logout requests to all RPs (which I don't actually want for re-authentication)...
In short, the problem is that if I try to re-authenticate (call login if user is already authenticated), session logout is called which in turn calls any session logout handlers registered (I didn't expect that logout would be called if I do re-authentication).
Describe the solution you'd like
I would like to implement logout solution that would gracefully do logout and re-authentication for any used protocol (SAML, CAS, OIDC... meaning If user logs out of SAML SP, it would also log him out of any OIDC RP, etc., and vice-versa).
Since SAML logout implementation part currently does not register logout handlers, but handles logout separately, I would like to at least achieve that my OIDC logout handlers only get called when the 'real logout' is initiated, and not for re-authentication. It seems to me that this would be possible if the 'session cleaning' needed for re-authentication would be implemented in a way separate from the 'real logout', so that any registered logout handler would not be called for re-authentication.
This way I guess I would at least be able to achieve that if user is logged in to SAML SP and OIDC RP, if he initiates logout using SAML, my logout handlers would be called and so he would be logged out of any OIDC RPs (however, if he initiates logout from OIDC, he would not be logged out from SAML SPs, since there is no SAML logout handler registration thingy....).
Describe alternatives you've considered
Since registered logout handlers get called in re-authentication scenarios (and since no arguments are passed to logout handlers for context reasons or similar), I currently do OIDC logout, that is send OIDC logout requests to RPs only if logout is initiated using OIDC protocol, which I guess is a shame...
Additional context
Related question on ssp-user group: https://groups.google.com/g/simplesamlphp/c/-uhiVE8TaF4/m/ytCDPJc3AgAJ
OIDC login method: https://github.com/simplesamlphp/simplesamlphp-module-oidc/blob/2310ccd7c34003047199cd12632ff967bcbf53f9/lib/Services/AuthenticationService.php#L99
OIDC logout handler method: https://github.com/simplesamlphp/simplesamlphp-module-oidc/blob/2310ccd7c34003047199cd12632ff967bcbf53f9/lib/Controller/LogoutController.php#L135
Best regards and thank you for the great work on SimpleSAMLphp!
The text was updated successfully, but these errors were encountered: