Debugging sp-initiated logout flow #221

adrianovaroli · 2024-04-29T12:32:00Z

adrianovaroli
Apr 29, 2024

Hi, I'm debugging a logout flow.
I'm currently on Net:SAML2 v0.78 (recently updated with no modifications to my code from 0.55) and I'm debugging a logout flow in which we (the SP) initiate the logout request. I'm currently stuck at receiving a POST logout response that looks like:

URL: [our logout endpoint]
POST data: SAMLResponse (encoded)

And nothing else (no SigAlg, no Signature parameter, for instance).
If I decode the SAMLResponse, I see this:

<samlp:LogoutResponse ID="_7d2bff24-5909-4e1f-b3b2-2175b8d5e68b" Version="2.0"
    IssueInstant="2024-04-29T12:05:17.982Z" Destination="[our logout endpoint]"
    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
    InResponseTo="NETSAML2_9b4ea21e35d8d103a82057ad89bd894cafc1beabed7eb9eded01900f9d6145e7"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[their url]</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_7d2bff24-5909-4e1f-b3b2-2175b8d5e68b">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>4+5lttdf/BKbpW6eF0BF3KI0h73G0YrUKqDblrjm5yE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>[encoded signature value]</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>[certificate]</ds:X509Certificate>
            </ds:X509Data>
        </KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
    </samlp:Status>
</samlp:LogoutResponse>

In my logs I can see

Use of uninitialized value in subroutine entry at /usr/local/share/perl/5.32.1/Net/SAML2/Binding/Redirect.pm line 152.
Use of uninitialized value $sigalg in string eq at /usr/local/share/perl/5.32.1/Net/SAML2/Binding/Redirect.pm line 178.
Use of uninitialized value $sigalg in string eq at /usr/local/share/perl/5.32.1/Net/SAML2/Binding/Redirect.pm line 180.
Use of uninitialized value $sigalg in string eq at /usr/local/share/perl/5.32.1/Net/SAML2/Binding/Redirect.pm line 182.
Use of uninitialized value $sigalg in string eq at /usr/local/share/perl/5.32.1/Net/SAML2/Binding/Redirect.pm line 184.
Use of uninitialized value $sigalg in string eq at /usr/local/share/perl/5.32.1/Net/SAML2/Binding/Redirect.pm line 186.

But I'm stumped. Do I need to update something in my code flow for the changes between lib versions 0.55 and 0.78? Am I missing something else?

My code is basically this:

First logout step

my $idp = Net::SAML2::IdP->new_from_xml(
    xml           => $idp_metadata,
    cacert        => '',
);

my $logout_request = Net::SAML2::Protocol::LogoutRequest->new(
    issuer        => $SP_FEDERATIONMETADATA_URL,
    # nameid_format => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', # this fails for this particular idp if I remove this comment
    destination   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
    nameid        => "[user email from session]",
    session       => $sso_session_data->{"SSO_TOKEN"},
);

my $redirect = eval {
    Net::SAML2::Binding::Redirect->new(
        url   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
        key => $SP_SIGNING_KEY,
        cert => $idp->cert('signing'),
        param => 'SAMLResponse',
        sls_force_lcase_url_encoding => 1,
    );
};

my $saml_logout_request = $redirect->sign($logout_request->as_xml);

# REDIRECT STUFF HAPPENS

Second logout step

my $idp = Net::SAML2::IdP->new_from_xml(
    xml => $idp_metadata,
    cacert => '',
    sls_force_lcase_url_encoding => 1,
); 

my $redirect = eval { 
    Net::SAML2::Binding::Redirect->new(
        url   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
        key => $SP_SIGNING_KEY,
        cert => $idp->cert('signing'),
        #sig_hash => 'sha256',
        param => 'SAMLResponse',
        sls_force_lcase_url_encoding => 1,
    );
};

# flow fails "here":
my ($response, $relaystate) = eval {
    $redirect->verify($uri);
};

my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(xml => $response);
if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
    my $sso_session_token = $logout->in_response_to;
    my ($user_id, $user_name, $user_profile) = &lib_saml::check_sso_user($sso_session_token);
    # other code...
} else {
    print STDERR "Error[", scalar localtime, "] IdP Response wasn't \"Success\".\n";
    # other code.
}

I can't see what I'm missing. Recently (#207) the code was working until a bit later, the assertion could not be validated but I could see that it was getting through to the last else block in the code above, but now it has started failing earlier in the flow.

timlegge · 2024-04-29T17:02:56Z

timlegge
Apr 29, 2024
Maintainer

See the change log for 0.60, potentially breaking changes, 0.63 perl min ver, 0.70 updated depends, 0.77 - Sha 256 redirect announced 0.75. 0.78 and 0.79 deprecate but should not break

3 replies

timlegge Apr 29, 2024
Maintainer

In theory most things will not break but it is possible. I am away but will look closer this evening if I have time.

timlegge Apr 29, 2024
Maintainer

Also if I was to guess you appear to be receiving a post reply on a redirect url. But I could be wrong

waterkip Apr 30, 2024
Maintainer

I think it would be wise to start bisecting the code to see which commit introduced what exactly. However, if I git blame the file, I see that the commit was introduced by f43727d, which verifies based on the raw query string. See the commit message for more information. This has been included in 0.60

https://metacpan.org/release/TIMLEGGE/Net-SAML2-0.79/source/lib/Net/SAML2/Binding/Redirect.pm#L152 is where we try to parse the $params{Signature}.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Debugging sp-initiated logout flow #221

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Debugging sp-initiated logout flow #221

adrianovaroli Apr 29, 2024

Replies: 1 comment · 3 replies

timlegge Apr 29, 2024 Maintainer

timlegge Apr 29, 2024 Maintainer

timlegge Apr 29, 2024 Maintainer

waterkip Apr 30, 2024 Maintainer

adrianovaroli
Apr 29, 2024

Replies: 1 comment 3 replies

timlegge
Apr 29, 2024
Maintainer

timlegge Apr 29, 2024
Maintainer

timlegge Apr 29, 2024
Maintainer

waterkip Apr 30, 2024
Maintainer