I have implemented a traditional login page where the user can login with their username and password, or click a button to start the SAML login.
security:
firewalls:
main:
entry_point: form_login
saml:
check_path: saml_acs
login_path: saml_login
form_login:
login_path: security_login
check_path: security_login
logout:
path: saml_logoutThe following happens:
- Log in via SAML
- Log out via
/saml/logout
- User is logged out of idP and redirected to
security_login
- Immediately log in via SAML again
- User is logged in to idP and redirected to
/saml/logout and then to security_login
- User is still logged in at idP, clicking the SAML login button again authenticates and redirects to the correct place in the application
What appears to be happening:
SamlLogoutListener is catching the /saml/logout request and initiating the redirect to the idP SLO endpoint- Note that
OneLogin\Saml2\Auth::Logout is called with the $returnTo property set to null
- The
RelayState parameter for the idP SLO URL falls-back to the current URL (/saml/logout) because $returnTo is null
- The user is logged out of the idP, then redirected back to the logout path (
/saml/logout) declared by the RelayState
/saml/logout is protected by the firewall so is redirected again to security_login- This redirect sets the
_security.main.target_path in the session to https://localhost/saml/logout?RelayState=https%3A%2F%2Flocalhost%2Fsaml%2Flogout
- Which causes the user to be redirected to the logout path after logging in again
Potential solutions:
- A configurable URL that can be passed to the SLO endpoint via the
ReturnPath parameter?
- A fall-back
ReturnPath that is not the logout path, maybe the root path (/) ?
Current workarounds that prevent this from happening:
- Allow
PUBLIC_ACCESS to /saml/logout
- Implement a
saml.success_handler that prevents the redirect to the logout path
I have implemented a traditional login page where the user can login with their username and password, or click a button to start the SAML login.
The following happens:
/saml/logoutsecurity_login/saml/logoutand then tosecurity_loginWhat appears to be happening:
SamlLogoutListeneris catching the/saml/logoutrequest and initiating the redirect to the idP SLO endpointOneLogin\Saml2\Auth::Logoutis called with the$returnToproperty set tonullRelayStateparameter for the idP SLO URL falls-back to the current URL (/saml/logout) because$returnToisnull/saml/logout) declared by theRelayState/saml/logoutis protected by the firewall so is redirected again tosecurity_login_security.main.target_pathin the session tohttps://localhost/saml/logout?RelayState=https%3A%2F%2Flocalhost%2Fsaml%2FlogoutPotential solutions:
ReturnPathparameter?ReturnPaththat is not the logout path, maybe the root path (/) ?Current workarounds that prevent this from happening:
PUBLIC_ACCESSto/saml/logoutsaml.success_handlerthat prevents the redirect to the logout path