saml_idp: Single Log-Out Does Not Appear to Support Mupltile SPs

Single Log-Out was implemented (at least in theory) by #41 by @pkarman, but the purpose of the feature, (at least as I understand it) is that a logout command sent to the IdP results in logouts at any SPs that have been logged into during the login session. (See http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.2.SP-Initiated Single Logout with Multiple SPs|outline)

From looking at the code here though, I’m not quite sure how that’s implemented. For instance, the IdP doesn’t seem to maintain (or seek to use) a per-session list of the SPs that have been signed into, nor is there any sort of loop in the SamlIdp::IdpController. Is this support missing, or am I missing something?

If the former, could this be considered a feature request?

I understand that the README.md states:

This was originally setup by @lawrencepit to test SAML Clients. I took it closer to a real SAML IDP implementation.

… which implies this implementation isn’t feature complete. I’m frankly quite grateful that this gem exists to begin with, but is there any way the README.md could also perhaps list the ways in which this isn’t a full implementation? (It would just make it a lot easier for users to work around the incomplete features and perhaps even know exactly what to offer PRs for.)

Thanks a ton, Mike

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 23 (15 by maintainers)

Most upvoted comments

To me, the ideal case is a gem that’s active, accepting user contributions, and on rubygems (either under this name or another one).

I also note that the 18F fork is both behind and ahead of this gem, so its unfortunate in that there’s bound to be some duplication of work as long as the 18F fork has features not in upstream and 18F isn’t making PRs and the maintainer of this gem isn’t able to readily merge them. (Obviously this all becomes moot if 18F takes over in some fashion.)

+1
mvastola on Oct 17, 2017

@mvastola the functionality I added to this library was the basic request/response handling to mirror what was done in the ruby-saml gem.

login.gov uses the functionality I added in this project: https://github.com/18F/identity-idp/blob/master/app/controllers/concerns/saml_idp_logout_concern.rb

the loop you’re referring to is implemented here: https://github.com/18F/identity-idp/blob/master/app/services/single_logout_handler.rb#L38

where it keeps generating request/responses until all active “identity” records are exhausted.

HTH

+1
pkarman on Oct 16, 2017
Read more comments on GitHub
← FTP-Deploy-Action: Version 4 - Error: Timeout (control socket)
python-saml: Getting "Signature validation failed. SAML Response rejected" →