New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logout through "authorize" Module (was #619) #53

sspghost opened this Issue Feb 27, 2014 · 4 comments


None yet
3 participants

sspghost commented Feb 27, 2014

From on February 11, 2014 12:54:34

I believe that this issue was introduced when ticket #522 was fixed. In order to reproduce this problem, take the following configuration into account:

The "authorize" module is configured on the IdP, in the SP configuration (saml20-sp-remote.php). This is done to copy the behaviour of Feide, where you are stopped at the IdP when your affiliation does not have access to the requested service provider. What steps will reproduce the problem? 1. Log in to an SP (SP1) where you are not blocked by the "authorize" module.
2. Attempt to log in to an SP (SP2) where you are blocked by the "authorize" module.
3. On the "Access forbidden" page, click "Logout"
4. (observe "Go back to simpleSAMLphp installation page" link)
5. Go back to SP1
6. (observe you are still logged in) What is the expected output? What do you see instead? 1. Upon clicking "Logout", I expect being redirected back to the login page so that I can log in as another user. Instead, I am presented with a "Go back to simpleSAMLphp installation page" link.
2. Upon clicking "Logout", I expect to be logged out from all SPs I am currently logged in to. When I try to visit SP1 after clicking Logout, I expect to be prompted for credentials. What version of the product are you using? On what operating system? Latest stable simpleSamlPhp (1.11.0) on IdP, same simpleSamlPhp or mod_mellon 0.5 as SP.

Original issue:


This comment has been minimized.

sspghost commented Feb 27, 2014

From on February 18, 2014 04:47:16

Hi Yorn!

I'm afraid this is not an issue introduced at any point, but something that has never worked. The fix you are referencing to is basically a quick fix to allow basically some kind of logout, but not a complete SLO.

I've been discussing this briefly with Olav, and there's no easy way to solve it, because there's no way to trigger SLO from the authorize module. A possible approach would be that both the IdP and SP register their own logout handlers in the state array, and then let the authorize module use that handler to initiate a SLO. It would be possible then to initiate SLO regardless of where you are using the module (right now you get no logout link if you are on the SP, for instance), but that's also a non-negligible amount of work, and we've decided that it can wait until 2.0.

Labels: Milestone-Release2.0


This comment has been minimized.

sspghost commented Feb 27, 2014

From on February 20, 2014 04:20:56

As a workaround, would it be possible to add a module configuration parameter to send the user somewhere else than the simpleSamlPhp installation page?

Also, I wonder how this is fixed in Feide; when I log in with my NTNU account and then try to visit a UNINETT service, I get a button that allows me to log in as another user.

@jaimeperez jaimeperez added this to the v2.0 milestone Feb 27, 2014

@jaimeperez jaimeperez added the started label Mar 24, 2014


This comment has been minimized.


jaimeperez commented Mar 24, 2014

Hi Yørn,

Sorry, looks like I didn't realize of your message while migrating everything to github.

We'll try to solve this for 2.0, but meanwhile we decided not to do anything for 1.12. In Feide we solve this by means of the Feide module, which takes care of situations like this (though it should be improved). That module is internal and not part of SimpleSAMLphp, which is why it works in Feide but not with SSP's standard distribution.


This comment has been minimized.


jornane commented Mar 24, 2014

Thanks! Olav already explained this to me, but it's good that this is now also documented for others having the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment