IdP-initiated SLO

[arneroen]

I'm struggling to make IdP-initiated SLO work. As per several examples, I have the following routes:

app.post('/logout/callback', function(req, res) {
        req.logout();
        res.redirect('/');
});
app.get("/logout", function(req, res) {
        if (!req.user) res.redirect("/");
        console.log("initiating logout", req.log, req.user);
        return passport._strategy("saml").logout(req, function(err, uri) {
            return res.redirect(uri);
        });
});

In addition, logoutCallbackUrl is defined as '/logout/callback'. This works fine for SP-initiated logout. Obvivously not for IdP-initiated SLO, though, as being contacted at /logout/callback will not prompt the server to reply with a logoutResponse. I've not found any examples for how to implement IdP-initiated SLO.

I've found methods in the code, that are generating the logoutResponse, which leads me to believe that IdP-initiated SLO is probably implemented. However, the beginning of the "chain of calls" to get to it is the "authenticate" functionality.

I'd greatly appreciate any help with getting this to work! Thanks!

[jonathanpdiaz]

hey @arneroen.
Have you found something else on this? I entered into the issues section to write exactly what you describe.
I'm getting the LogoutRequest from my Identity Provider (One Login), but the API of the strategy doesn't seem to handle it.
Any comment would be much appreciated.
Thanks!

[Brynjulf]

@arneroen, @jonathanpdiaz you should change your callback from a post to a get. That fixed the issue for me.

[jonathanpdiaz]

I forgot to answer my own question after I found the issue. The library works perfectly.
In my case, we implemented the Single Logout using HTTP Redirect.
What would this mean? It means that after I hit log out on any Service Provider [SP] (my app is one of them) passport-saml will generate a SAML Request XML that will log out this particular SP on the IdP and the browser will be redirected to the next SP that shares a session that needs to log out. To do this, the IdP will go to that particular SP and use the SLO endpoint.

One extra thing to consider is that the Identity Provider [IdP] will also hit the SLO endpoint to confirm the logout at the end. There, you can redirect your site to the login page.

Looks like this: (remember that is the browser who will be redirected to each site -one by one- that means that you have the information of the current session that is logged in each cookie that enables you to logout.)

Long story short, here is my current implementations that seem to work so far.

/**
 * Logout from SP to IdP.
 * We need a logged in user to log out.
 */
router.get('/logout', isAuthenticated(), samlLogout);

/**
 * IdP notifies logout.
 * Possible cases:
 * 1: same SP requested logout, IdP confirms logout.
 * 2: IdP request logout after receive logout request from SP that shared a session.
 * note: we can't use isAuth here, we need to redirect the browser.
 */
router.get(
  '/slo',
  (req, res, next) => {
    if(req.session.passport && req.session.passport.user) {
      req.user = req.session.passport.user;
      return next();
    } else {
      return res.redirect('/auth/saml');
    }
  },
  samlLogout
);

/**
 * Generate a Logout Request.
 * Redirect to this request URL.
 * note: SAML auth internally requires a req.user object with this 2 properties:
 *  '@Format': req.user.nameIDFormat,
 *  '#text': req.user.nameID
 */
function samlLogout(req, res) {
  try {
    const strategy = passport._strategy('saml');
    strategy.logout(req, function(error, requestUrl) {
      if(error) console.log(`Can't generate log out url: ${err}`);
      req.logOut();
      // passport-saml is not removing the session.
      delete req.session.passport;
      res.redirect(requestUrl);
    });
  } catch(err) {
    if(err) console.log(`Exception on URL: ${err}`);
    req.logOut();
    delete req.session.passport;
    res.redirect('/auth/saml');
  }
}

We use this API on a Single Page App. In our context, if we have the passport user, we are good to go.
So the isAuthenticated method only needs to check this.

import compose from 'composable-middleware';

/**
 * Attaches the user object to the request if authenticated
 * Otherwise returns 403
 */
export function isAuthenticated() {
  return compose().use(function(req, res, next) {
    if(req.session.passport && req.session.passport.user) {
      // after auth, we get a passport object.
      req.user = req.session.passport.user;
      return next();
    } else {
      return res.status(403).send({
        message: 'Session expired.',
      });
    }
  });
}

Hope it helps to someone else, it took me a little bit to figure it out.

[saurabh2608]

We have a situation where login will be initiated from IDP and callback will come to SP. Is there a way we can use passport-saml to authenticate the SAML response and set the user session?

[chveragad]

We too have a situation where login is IDP-initiated. Our current application utilizes redis to hold the user session. I have several questions and hopeful for an answer:

1. From the sample I got https://github.com/gbraad/passport-saml-example, it is used with main node module passport. Is the main passport node module required to use for passport-saml? How would it work with redis then?
2. Can passport-saml be used to validate, decrypt and digest the SAMLResponse from an IDP initiated callback?

[cjbarth]

@sagarwalsf @chveragad , yes IdP initiated sign on should work just fine if your callback URLs are set up correctly; I've gotten it to work.

[umardraz]

@jonathanpdiaz

I tried your solution here is my code

router.get('/logout', isAuthenticated(), samlLogout);

router.get(
    '/slo',
    (req, res, next) => {
      if(req.session.passport && req.session.passport.user) {
        req.user = req.session.passport.user;
        return next();
      } else {
        return res.redirect('/auth/saml/login');
      }
    },
    samlLogout
);

function samlLogout(req, res) {
    try {
      const strategy = passport._strategy('saml');
      strategy.logout(req, function(error, requestUrl) {
        if(error) console.log(`Can't generate log out url: ${err}`);
        req.logOut();
        delete req.session.passport;
        res.redirect(requestUrl);
      });
    } catch(err) {
      if(err) console.log(`Exception on URL: ${err}`);
      req.logOut();
      delete req.session.passport;
      res.redirect('/auth/saml/login');
    }
  }

Now the problem is whenever I tried to logout from my Wordpres sites then on successful logout they always get nodejs site /auth/saml/login page rather then their own wordpress login page.

Would you please help me how I can fix this