single-sign-onlogoutsimplesamlphpwebmethodsidp

SLO issue with SimpleSAMLphp IDP with 2 SPs : redirected to the wrong login screen


We have set up SimpleSAMLphp as a SAML IDP to which 2 SPs are registered (Liferay and MyWebMethods).

Every SP is registered to the IDP with its own ACS and SLO links in the simplesamlphp/metadata/saml20-sp-remote.php file. Something like :

// MWS = SP2
$metadata['http://sp2.siteweb.com'] = array(
    'AssertionConsumerService' => 'http://sp2.siteweb.com/',
    'SingleLogoutService' => 'http://sp2.siteweb.com/?method=logout',
);

// LR = SP1
$metadata['http://sp1.siteweb.com/c/portal/saml/metadata'] = array(
    'AssertionConsumerService' => 'http://sp1.siteweb.com/c/portal/saml/acs',
    'SingleLogoutService' => 'http://sp1.siteweb.com/c/portal/saml/sls',
);

I have no problem using SSO: after I get authenticated (via the IDP) I can got to the first SP, then I can go to the 2nd SP without the need to login again.

My issue is with the log out (SLO) when the user is connected to each of the 2 SPs in the same time from same session (2 tabs in Google Chrome). If he logs out first from the SP2, whenever he tries to log out from the SP1 he is redirected to the login screen of the SP2 (ie: normal out-of-SSO login screen), instead of being redirected to the IDP login screen.

The logout url is actually captured by our SP filter then we create a saml Auth object that does the logout() :

Auth auth = new Auth(request, response);
String relayState = sp1_login_url;
auth.logout(relayState);

One info is that the SP1 supports SP-initiated and SP2 supports only IDP-initiated.

Any idea please?


Solution

  • After some research, the solution was simply to add a returnUrl parameter to the config for the SP2:

    // MWS = SP2
    $metadata['http://sp2.siteweb.com'] = array(
        'AssertionConsumerService' => 'http://sp2.siteweb.com/',
        'SingleLogoutService' => 'http://sp2.siteweb.com/?method=logout&returnUrl=http://idplogin.siteweb.com',
    );