Logout flow example

[adrianovaroli]

Hi, I'm implementing the SAML login - logout flow for our application as an SP against an IdP, and this module has been invaluable.
Problem is, I'm very green, and I'm butting heads on the logout process. I'm receiving a GET request from the IdP like

GET /cgi-cpn/logout.cgi?SAMLRequest=lVJLi9swEP4rxnfZsi2%2fhONtqGkxbHehK[...]&Signature=PGA%2bquTPVeKReGjcybwx7vSGkJtxmuw[...]&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256&client-request-id=abab7011-b24d-46de-3f00-008001000084

but I'm butting heads figuring out what to do next. I'm trying

my $saml_request = glib_cgi_05::param('SAMLRequest');
my $saml_signature = glib_cgi_05::param('Signature');
my $saml_sigalg = glib_cgi_05::param('SigAlg');
my $saml_client_request_id = glib_cgi_05::param('client-request-id');

my $idp = Net::SAML2::IdP->new_from_xml(
            xml => $FEDERATIONMETADATA, # URL where the xml is located
            cacert => $IDP_SIGNING_CERT,   # Filename of the Identity Providers CACert
);
my $redirect = Net::SAML2::Binding::Redirect->new(
            key => $sp_signing_cert,
            cert => $idp->cert('signing'),
            sig_hash => 'sha256',
            param => 'SAMLRequest',
            # The ssl_url destination for redirect
            url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
);

my $verification = $redirect->verify($saml_request);

but this fails when creating the $redirect object; in the error log I read
Crypt::OpenSSL::X509: failed to read X509 certificate. at /usr/local/share/perl/5.28.1/Net/SAML2/IdP.pm line 16
what stumps me is that similar code works in my login init/callback flow.

To add: I notice that, in my implementation, this works

my $idp = Net::SAML2::IdP->new_from_xml(
    xml => $FEDERATIONMETADATA, # URL where the xml is located
    cacert => '',   # Filename of the Identity Providers CACert
);

and this also works

my $post = Net::SAML2::Binding::POST->new(
    cacert => $IDP_SIGNING_CERT,
);

but this fails

my $idp = Net::SAML2::IdP->new_from_xml(
    xml => $FEDERATIONMETADATA,
    cacert => $IDP_SIGNING_CERT,
);

$IDP_SIGNING_CERT is the same thing in both cases, the path to the IdP's public certificate in PEM format.

I'm running v0.45 of Net::Saml.pm, I'm trying to get our ops team to update it just in case it's a solved problem.

Could you help me with an example of an IdP-initiated redirect logout flow?
Thanks in advance.

[timlegge]

Hi So what is initiating the logout. As you are getting a SAMLRequest from the IDP I am assuming that you are receiving this as part of a logout initiated from another application. See steps 3 of 6 of the following: https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout The only "tested" logout at the moment is the Net-SAML SP logout in steps 2 and 10. Your Net-SAML2 application initiates the LogoutRequest and the IDP responds via a browser redirect/post with a LogoutResponse. I can try to set up a test for the IdP initiated LogoutRequest. However, I would expect that the module may need some changes. If you can send me the full URL GET /cgi-cpn/logout.cgi?SAMLRequest=lVJLi9swEP4rxnfZsi2%2fhONtqGkxbHehK[...]&Signature=PGA%2bquTPVeKReGjcybwx7vSGkJtxmuw[...]&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256&client-request-id=abab7011-b24d-46de-3f00-008001000084 and the IdPs metafile I can try to reproduce. Send directly to my email timlegge at gmail . com If you prefer not to make it public. I assume you are using Azure? I can respond in the next few hours but it will be tonight before I can look in depth. Tim Timothy Legge ***@***.*** ***@***.***

…

On Thu, Jan 27, 2022 at 11:26 AM Adriano Varoli Piazza < ***@***.***> wrote: Hi, I'm implementing the SAML login - logout flow for our application as an SP against an IdP, and this module has been invaluable. Problem is, I'm very green, and I'm butting heads on the logout process. I'm receiving a GET request from the IdP like GET /cgi-cpn/logout.cgi?SAMLRequest=lVJLi9swEP4rxnfZsi2%2fhONtqGkxbHehK[...]&Signature=PGA%2bquTPVeKReGjcybwx7vSGkJtxmuw[...]&SigAlg=http%3a%2f% 2fwww.w3.org %2f2001%2f04%2fxmldsig-more%23rsa-sha256&client-request-id=abab7011-b24d-46de-3f00-008001000084 but I'm butting heads figuring out what to do next. I'm trying my $saml_request = glib_cgi_05::param('SAMLRequest'); my $saml_signature = glib_cgi_05::param('Signature'); my $saml_sigalg = glib_cgi_05::param('SigAlg'); my $saml_client_request_id = glib_cgi_05::param('client-request-id'); my $idp = Net::SAML2::IdP->new_from_xml( xml => $FEDERATIONMETADATA, # URL where the xml is located cacert => $IDP_SIGNING_CERT, # Filename of the Identity Providers CACert ); my $redirect = Net::SAML2::Binding::Redirect->new( key => $sp_signing_cert, cert => $idp->cert('signing'), sig_hash => 'sha256', param => 'SAMLRequest', # The ssl_url destination for redirect url => $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'), ); my $verification = $redirect->verify($saml_request); but this fails when creating the $redirect object; in the error log I read Crypt::OpenSSL::X509: failed to read X509 certificate. at /usr/local/share/perl/5.28.1/Net/SAML2/IdP.pm line 16 what stumps me is that similar code works in my login init/callback flow. Could you help me with an example of an IdP-initiated redirect logout flow? Thanks in advance. — Reply to this email directly, view it on GitHub <#54>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N65RZGV32VONRKD6AZLUYFP2TANCNFSM5M6HWNDQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[adrianovaroli]

The logout is initiated by the IdP, by SAMLRequest they send to our logout cgi. I'll send you the request and the metadata privately. Thanks so much!

[adrianovaroli]

Ok, I got your patch installed and tried, I built the URL for $redirect->verify() and now it fails further ahead with

bad sig at /usr/local/share/perl/5.28.1/Net/SAML2/Binding/Redirect.pm line 137 (global apache error log)

and

Can't verify IdP 'encryption' cert: verify: self signed certificate at /usr/local/share/perl/5.28.1/Net/SAML2/IdP.pm line 175

And I guess this means I have to talk to the ops people here.

[timlegge]

Hi Can you try revier the t/16... test script and add the force..lowercase setting to your code like it does and re-test. Tim Timothy Legge ***@***.*** ***@***.***

…

On Fri, Jan 28, 2022 at 9:57 AM Adriano Varoli Piazza < ***@***.***> wrote: Ok, I got your patch installed and tried, I built the URL for $redirect->verify() and now it fails further ahead with bad sig at /usr/local/share/perl/5.28.1/Net/SAML2/Binding/Redirect.pm line 137 (global apache error log) and Can't verify IdP 'encryption' cert: verify: self signed certificate at /usr/local/share/perl/5.28.1/Net/SAML2/IdP.pm line 175 And I guess this means I have to talk to the ops people here. — Reply to this email directly, view it on GitHub <#54 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N62VD2T3OZJSJYJNQ6LUYKOFTANCNFSM5M6HWNDQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.*** .com>

[adrianovaroli]

It works, yes!

$VAR1 = \bless( {
                   'id' => '_1038ab29-c3f3-44d0-84ad-85eefd8cd270',
                   'issue_instant' => '2022-01-28T14:34:43Z',
                   'session' => '_6e0b2165-a183-4762-b10c-0d7458e0e83b',
                   'issuer' => bless( do{\(my $o = '[the IdP metadata]')}, 'URI::http' ),
                   'destination' => '[my SP logout url]',
                   'nameid' => '[my email]'
                 }, 'Net::SAML2::Protocol::LogoutRequest' );

[timlegge]

Hi So your code running gets the LogoutRequest and processes it properly after you added the sls_force_lcase_url_encoding = 1 to your code? Tim Timothy Legge ***@***.*** ***@***.***

…

On Fri, Jan 28, 2022 at 10:36 AM Adriano Varoli Piazza < ***@***.***> wrote: It works, yes! $VAR1 = \bless( { 'id' => '_1038ab29-c3f3-44d0-84ad-85eefd8cd270', 'issue_instant' => '2022-01-28T14:34:43Z', 'session' => '_6e0b2165-a183-4762-b10c-0d7458e0e83b', 'issuer' => bless( do{\(my $o = '[the IdP metadata]')}, 'URI::http' ), 'destination' => '[my SP logout url]', 'nameid' => '[my email]' }, 'Net::SAML2::Protocol::LogoutRequest' ); — Reply to this email directly, view it on GitHub <#54 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N66VUWU2BONHD6NXRTTUYKSWPANCNFSM5M6HWNDQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.*** .com>

[adrianovaroli]

Exactly, that's the only thing I changed.

[timlegge]

So at this point you can use that data in the:

$VAR1 = \bless( {
                   'id' => '_1038ab29-c3f3-44d0-84ad-85eefd8cd270',
                   'issue_instant' => '2022-01-28T14:34:43Z',
                   'session' => '_6e0b2165-a183-4762-b10c-0d7458e0e83b',
                   'issuer' => bless( do{\(my $o = '[the IdP metadata]')}, 'URI::http' ),
                   'destination' => '[my SP logout url]',
                   'nameid' => '[my email]'
                 }, 'Net::SAML2::Protocol::LogoutRequest' );

To invalidate your users's session. After this the next step would be to create a LogoutResponse but as I said, the Current logout Response assumes it is receivinge one from the IdP. I will look at adding functionality to create and send the LogoutResponse this weekend.

Tim

[adrianovaroli]

Again, thank you so much for your help.

[timlegge]

Actually it is supported:

Add the following to the end of t/16...

#Create a new Logout Response with the values from the Request - The status is hard coded here

use Net::SAML2::Protocol::LogoutResponse;
my $logoutresponse = Net::SAML2::Protocol::LogoutResponse->new(
    issuer      => $logoutrequest->{destination},
    destination => $logoutrequest->{issuer},
    status      => "urn:oasis:names:tc:SAML:2.0:status:Success",
    response_to => $logoutrequest->{id},
    );

#Get the URL to redirect to
use Net::SAML2::Binding::Redirect;
my $logoutrequestsigned = $redirect->sign($logoutresponse->as_xml);
print $logoutrequestsigned;

#Then do a get request for the URL

[timlegge]

I fixes a number of related issues in #55

[timlegge]

Released 0.52 at https://metacpan.org/dist/Net-SAML2

[adrianovaroli]

I've been currently busy with a different project, but this should allow me to finish this implementation. Thank you!