-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLO: Okta sending POST plugin looking for GET #121
Comments
I found this: SAML-Toolkits/php-saml#348 with the exact change we had to make to support Okta. From the responses this indicates that php-saml and I suspect this plugin too will not support POST for SLO even though it is an acceptable binding according to the SAML v2.0 documentation: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf (see section 3.5 page 21). If I am reading this correctly: http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf (page 9) SAML 2.0 conformance requires HTTP-Redirect binding for SP initiated SLO. I guess that must mean Okta is not SAML V2.0 compliant at least for SLO? Since we will not see HTTP Post for SLO implemented here and it does not appear that Okta is going to HTTP Redirect Binding, (see: https://support.okta.com/help/s/question/0D50Z00008G7VGW/saml-httpredirect-instead-of-httppost-at-single-logout?language=en_US - dated Sept 5, 2018), we are at an impasse. |
You code will do the trick. I recommend better to do something something like:
at the SLS endpoint. But we are not adding that workaround because it's an informal trick. For example if you as SP want to validate SAML Signature, that won't be possible As you discovered in that thread, Okta decided to only support the Http-Post binding because was the easy path (it was already the binding required on the sso process), but doing that made their IdP non-standard compliant. |
It appears that Okta is incapable of sending an HTTP-Redirect binding instead of a POST for Single Log Out. Looking at where the code fails: https://github.com/onelogin/wordpress-saml/blob/master/onelogin-saml-sso/php/lib/Saml2/Auth.php#L281To#L345. We have found pervious posts on the web indicating that this will never change to support anything other than an HTTP-Redirect (e.g.; #18). I humbly ask this: What is wrong with adding another conditional to support HTTP Post like so:
if (isset($_POST['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_POST['SAMLResponse']);
Replacing this:
if (isset($_GET['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']);
Replacing the latter with the former seems to solve our Okta SLO problem. I am wondering if there is some issue we might be missing as to why it may be unacceptable to do this?
The text was updated successfully, but these errors were encountered: