- Issue created by @sivakarthik229
- Status changed to Postponed: needs info
over 1 year ago 10:30pm 26 July 2023 - 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
I cannot reproduce this.
For completeness / a log: I've had more information from you on Slack (because initially it was not clear to me what your point 4 exactly means). You have confirmed and re-tested that your situation is:
- Start the logout process at https://DRUPALSITE-1/saml/logout
- Get redirected to the IdP, and then to https://DRUPALSITE-2/saml/sls
- At this moment,
this->currentUser->isAuthenticated()returns FALSE. So your user is not logged out, because they are seen as 'not logged in'. - However, if you later visit https://DRUPALSITE-2/ANYTHING in the same browser, you are still logged in!
This logout flow seems correct / matches "SP initiated logout" in the image #3043704-9: Make user logout more robust → that I'm using for reference.
So the mystery is the third point: why does the user visiting https://DRUPALSITE-2/saml/sls not seem to be logged in? (Your request is a normal GET request - with a valid LogoutRequest in the URL's SamlRequest GET parameter, as expected.
I cannot reproduce this. I have tried using two separate development sites, using two development sites on the same multisite instance, and a combination (three sites). (Note: these are separate sites with separate databases on a multisite installation. They are not multiple domains for the same site e.g. a multilanguage site. I assume this is the same in your case.)
Login flow - all are GET requests:
- Direct browser request https://DRUPALSITE-1/saml/logout
- HTTP 302 to https://IDP/.../SingleLogoutService.php?SamlRequest=... (I'm using SimpleSAMLphp)
- HTTP 302 to https://IDP/.../resumelogout.php?id=... (Only the first request seems to have an extra redirect inside the IdP)
- HTTP 302 to https://DRUPALSITE-2/saml/sls?SamlRequest=... contains SingleLogoutRequest, gets processed normally, the user is seen as logged-in by Drupal and is logged out
- HTTP 302 to https://IDP/.../SingleLogoutService.php?SamlResponse=...
- HTTP 302 to https://DRUPALSITE-3/saml/sls?SamlRequest=... contains SingleLogoutRequest, gets processed normally, the user is seen as logged-in by Drupal and is logged out
- HTTP 302 to https://IDP/.../SingleLogoutService.php?SamlResponse=...
- HTTP 302 to https://DRUPALSITE-1/saml/sls?SamlResponse=... user was already logged out at the very start, so this effectively does nothing except:
- HTTP 302 to https://DRUPALSITE-1/ because the previous /saml/sls endpoint has correctly seen that we are done