- Issue created by @sker101
- πΊπΈUnited States sker101 NYC
I created a patch that stores the SAML session in the private temp storage service regardless of whether the user has an active Drupal account. This allows the session to be stored and to be used later for the logout request even for users wit no active Drupal account.
I also made some updates to the logic in the `drupalLogoutHelper` method. Instead of checking if the user is currently logged in, the logic now check if the current request carries a valid session and determine if the SAML session should be returned from the method.
- πΊπΈUnited States sker101 NYC
This issue from 5 years ago might be related.
-
roderik β
committed 51830561 on 8.x-3.x authored by
sker101 β
Issue #3365193 by sker101, roderik: Keep /saml/logout working after...
-
roderik β
committed 51830561 on 8.x-3.x authored by
sker101 β
- Status changed to Fixed
12 months ago 5:02pm 29 December 2023 - π³π±Netherlands roderik Amsterdam,NL / Budapest,HU
Thank you for your valuable contribution. I'm still learning more details, about when this SAML session data is useful / how it interacts with logout.
I unfortunately missed your patch in between working on other issues / because of the issue status, so it took a while to get to it / some code was already changed. (
drupalLogoutHelper()
already got the SAML session data when the user was anonymous. I did add your$this->requestStack->getCurrentRequest()->hasSession()
which proved useful upon testing.)I believe that your patch is officially the correct thing to do. However:
- It does keep a session open for the anonymous user at each failed login. Even though that's not usually a big deal, it is a behavior change that I don't want to force upon all users. So I implemented a configuration option
login_error_keep_session
. - If I'm not mistaken: the session data is not needed / is never used if a logout flow is started from another logged-in site / from the IdP. It's only useful when the not-logged-in Drupal user explicitly starts SAML logout (through /saml/logout) on the same site. That fact made me decide, after some thinking, to keep the option 'off' by default.
So you'll have to explicitly turn the configuration option on, after installing the next release / if you want to drop your patch.
- It does keep a session open for the anonymous user at each failed login. Even though that's not usually a big deal, it is a behavior change that I don't want to force upon all users. So I implemented a configuration option
Automatically closed - issue fixed for 2 weeks with no activity.