Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLO: Okta sending POST plugin looking for GET #121

Open
dwashko opened this issue Jun 3, 2021 · 2 comments
Open

SLO: Okta sending POST plugin looking for GET #121

dwashko opened this issue Jun 3, 2021 · 2 comments

Comments

@dwashko
Copy link

dwashko commented Jun 3, 2021

It appears that Okta is incapable of sending an HTTP-Redirect binding instead of a POST for Single Log Out. Looking at where the code fails: https://github.com/onelogin/wordpress-saml/blob/master/onelogin-saml-sso/php/lib/Saml2/Auth.php#L281To#L345. We have found pervious posts on the web indicating that this will never change to support anything other than an HTTP-Redirect (e.g.; #18). I humbly ask this: What is wrong with adding another conditional to support HTTP Post like so:

if (isset($_POST['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_POST['SAMLResponse']);

Replacing this:
if (isset($_GET['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']);

Replacing the latter with the former seems to solve our Okta SLO problem. I am wondering if there is some issue we might be missing as to why it may be unacceptable to do this?

@dwashko dwashko changed the title Okta sending POST plugin looking for GET SLO: Okta sending POST plugin looking for GET Jun 3, 2021
@dwashko
Copy link
Author

dwashko commented Jun 4, 2021

I found this: SAML-Toolkits/php-saml#348 with the exact change we had to make to support Okta. From the responses this indicates that php-saml and I suspect this plugin too will not support POST for SLO even though it is an acceptable binding according to the SAML v2.0 documentation: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf (see section 3.5 page 21). If I am reading this correctly: http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf (page 9) SAML 2.0 conformance requires HTTP-Redirect binding for SP initiated SLO. I guess that must mean Okta is not SAML V2.0 compliant at least for SLO? Since we will not see HTTP Post for SLO implemented here and it does not appear that Okta is going to HTTP Redirect Binding, (see: https://support.okta.com/help/s/question/0D50Z00008G7VGW/saml-httpredirect-instead-of-httppost-at-single-logout?language=en_US - dated Sept 5, 2018), we are at an impasse.

@pitbulk
Copy link
Contributor

pitbulk commented Jun 4, 2021

You code will do the trick. I recommend better to do something something like:

if (isset($_POST['SAMLResponse'])) {
    $_GET['SAMLResponse'] = $_POST['SAMLResponse'];
}
if (isset($_POST['SAMLRequest'])) {
    $_GET['SAMLRequest'] = $_POST['SAMLRequest'];
}

at the SLS endpoint.

But we are not adding that workaround because it's an informal trick. For example if you as SP want to validate SAML Signature, that won't be possible

As you discovered in that thread, Okta decided to only support the Http-Post binding because was the easy path (it was already the binding required on the sso process), but doing that made their IdP non-standard compliant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants