Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: PLINK_2.5.3.Beta1
    • Fix Version/s: PLINK_2.7.0.Final
    • Component/s: SAML
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • Login to multiple SPs using the same IdP
      • Use the Single Logout URL on a single SP
      • Verify that all SPs have been logged out
      • Log back into the SP from the same browser
      • Refresh the other SPs and ensure they are logged back in
      • Retry the Single Logout URL
      • Refresh the other SPs and they will not still be accessible
      Show
      Login to multiple SPs using the same IdP Use the Single Logout URL on a single SP Verify that all SPs have been logged out Log back into the SP from the same browser Refresh the other SPs and ensure they are logged back in Retry the Single Logout URL Refresh the other SPs and they will not still be accessible

      Description

      The Single Logout URL ( $SP/GLO=true ) will usually work for the first logout in a clean browser, and then fails if the user logs back in and tries GLO again.

      When it works, this is the flow:

      Get $SP/GLO=true > 200
      Post SAML LogoutRequest to IdP > 200
      [ SAML LogoutResponse shows up in IdP server.log ]
      Post SAML LogoutResponse to SP > 200
      Get $SP/null > 200
      Browser is left at the IdP login screen with a new AuthnRequest

      When it does not work, this is the flow:

      Get $SP/GLO=true > 200
      Post SAML LogoutRequest to IdP > 200
      [ SAML LogoutResponse DOES NOT show up in IdP server.log ]
      Browser is left at the IdP login screen with a SAML LogoutRequest
      OR
      Browser is left at the $SP/null screen and never redirects to IdP login screen

      If the login credentials are entered, then the browser Posts a SAML LogoutResponse to the SP OR the browser is left at $SP/null and
      protected resources are still accessible.

      Once the logout flow stops working properly, it seems like there are basically no ways to get it working again in the same browser.
      The browser sits at the IdP login screen with the SAML LogoutResponse ready to POST, but it won’t post until login credentials are provided. Once the credentials are provided though, the session is logged back in.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  dparsons Danny Parsons
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: