Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Issue status:
- depends on 2863340.
- I will leave this sitting here for a while until I know how to test it well, and may just commit it later.
Contains the following:
- Remove the user_logout() call from the saml/logout page callback; only log out from Drupal after we return to the saml/sls callback. (This is what the 'droath branch' also does.)
- Store session_index / session_expiration properties upon login, and pass the session_index to the IDP's SLS callback on logout. (Ported from the 'droath branch, minus the indirection between various classes/methods. I didn't create dedicated setters/getters for these properties yet, on purpose.)
- Note that nothing is (or was, in the other branch) done with the session_expiration property, so far.
- If the SLS processing from the PMP SAML toolkit returns a URL to us, this will be used to redirect to. (I just found this in the SAML toolkit sources. I'm not 100% sure of the mechanism/specification behind it, but it seems that the SLS URL can be used to initiate logout too, and I see no harm in just adhering to that redirect.)
Comment | File | Size | Author |
---|---|---|---|
#12 | samlauth-logout_sessions-2863975-5.patch | 7.09 KB | O-khainouski |
#6 | interdiff-2863975-0-4.txt | 1.75 KB | roderik |
samlauth-logout-sessions.patch | 6.77 KB | roderik | |
Comments
Comment #2
interX CreditAttribution: interX commentedI almost created a similar patch before I noticed this issue :o Mostly identical, but it had one small difference: the NameId was also stored in the session with the sessionIndex when authed. Both were passed to the logout method.
Sadly, the IdP I currently use in a project uses POST binding for logout, so I can't fully test the entire flow.
Comment #3
DamienMcKennaComment #5
roderikIt was time to commit this, because it fixes a bug on logout - but I committed the cardinal sin of not testing the code that I changed, first.
Changed as per interdiff: what I believe are InterX' suggestions.
@InterX: just curious / in case there is something I'm not getting...
Does the IDP of that project prevent you from doing Single Logout? Or did you implement more custom code to perform a POST request?
Comment #6
roderikSo as I said: interdiff. (The full patch can be found through the commit message.)
Comment #7
roderikOops! I clearly need automated tests. Weird typo in SamlService. A fix commit was just pushed.
Comment #8
interX CreditAttribution: interX commentedThe IdP I was using was configured to do single logout via POST only. Unfortunately Onelogin doesn't or didn't support this.
This means I couldn't test your patch with that IdP to see if the logout flow was working.
Comment #9
roderikThanks for the answer. I was half doubting whether the patch you almost created (i.e. code you already created) was somehow working with SLS in a usable way.... and maybe that was worth considering adding to the module even when the library doesn't support this natively.
Since that's not the case: closing.
Comment #11
O-khainouski CreditAttribution: O-khainouski at EPAM Systems commentedI use version of module: 8.x-2.0-alpha1 released 2 March 2017 and faced the problem described in this ticket
I need patches are applied using a composer without conflicts, therefore I created a patch samlauth-logout_sessions-2863975-5.patch from
branch remotes/origin/8.x-2.x and from commits:
befaa96 2017-08-11 | Issue #2863975 by roderik, droath, interX: Fix SLS [roderik]
feb41ae 2017-08-12 | Oops: 2863975 typo! [Roderik Muit]
Comment #12
O-khainouski CreditAttribution: O-khainouski at EPAM Systems commented