Logout Support For Blocked Or SAML Authenticated User

Created on 6 June 2023, over 1 year ago
Updated 12 January 2024, 12 months ago

Hello, we have a special use case in our company. Some people are granted access to certain websites, while being blocked from others that utilize the same IdP provider or where they lack corresponding accounts.

When these individuals use SAML to log into our website, they receive an access denied message, which is the expected behavior. However, when they attempt to log out or switch SAML accounts, our website would fail to log them out.

After looking into the codebase, I discovered that the issue seems to come from the logout request generated by the `drupalLogoutHelper` method, as it does not include the correct `session_index` provided by the IdP when user log in. As a result, the IdP rejects the request, leading to the following error displayed on the page. There is no way for these users to log out from the IdP on our site unless they attempt to log out from other websites where they have an active Drupal account.

Error encountered while processing SAML single-logout response; details have been logged.

The steps to reproduce the issue is very simple:
1. Block or delete a user.
2. Login as the user from SAML.
3. The account blocked or no account error message should now be visible on the page.
4. Try to do `/saml/logout`.

✨ Feature request
Status

Fixed

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States sker101 NYC

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @sker101
  • πŸ‡ΊπŸ‡ΈUnited States sker101 NYC

    I created a patch that stores the SAML session in the private temp storage service regardless of whether the user has an active Drupal account. This allows the session to be stored and to be used later for the logout request even for users wit no active Drupal account.

    I also made some updates to the logic in the `drupalLogoutHelper` method. Instead of checking if the user is currently logged in, the logic now check if the current request carries a valid session and determine if the SAML session should be returned from the method.

  • πŸ‡ΊπŸ‡ΈUnited States sker101 NYC

    This issue from 5 years ago might be related.

  • Status changed to Fixed 12 months ago
  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Thank you for your valuable contribution. I'm still learning more details, about when this SAML session data is useful / how it interacts with logout.

    I unfortunately missed your patch in between working on other issues / because of the issue status, so it took a while to get to it / some code was already changed. (drupalLogoutHelper() already got the SAML session data when the user was anonymous. I did add your $this->requestStack->getCurrentRequest()->hasSession() which proved useful upon testing.)

    I believe that your patch is officially the correct thing to do. However:

    • It does keep a session open for the anonymous user at each failed login. Even though that's not usually a big deal, it is a behavior change that I don't want to force upon all users. So I implemented a configuration option login_error_keep_session.
    • If I'm not mistaken: the session data is not needed / is never used if a logout flow is started from another logged-in site / from the IdP. It's only useful when the not-logged-in Drupal user explicitly starts SAML logout (through /saml/logout) on the same site. That fact made me decide, after some thinking, to keep the option 'off' by default.

    So you'll have to explicitly turn the configuration option on, after installing the next release / if you want to drop your patch.

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024