0

Informations setup : WSO2 Identiy server version : 5.9. Iā€™m using WSO2 IS to add SSO in my PHP Project. I have created SAML SSO service provider for PHP SAML in wso2. Service Provider : Issuer : https://ssowebapp.domain.net/demo1/metadata.php Assertion Consumer Url : https://ssowebapp.domain.net/demo1/php-saml-master/index.php?acs Namid format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Enable logout Logout url : https://ssowebapp.domain.net/demo1/php-saml-master/index.php?sls Logout method : Back-channel logout

This is my settings.php file : 

< ?php
$spBaseUrl = 'https://ssowebapp.domain.net'; 

    $settingsInfo = array (
        'sp' => array (
            'entityId' => $spBaseUrl.'/demo1/metadata.php',
            'assertionConsumerService' => array (
                'url' => $spBaseUrl.'/php-saml-master/demo1/index.php?acs',
            ),
            'singleLogoutService' => array (
                'url' => $spBaseUrl.'/php-saml-master/demo1/index.php?sls',
                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
             ),
              'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
         ),
        'idp' => array (
            'entityId' => 'https://wso2.domain.net:9443/samlsso',
            'singleSignOnService' => array (
                'url' => ''https://wso2.domain.net:9443/samlsso',
                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                ),
            'singleLogoutService' => array (
                'url' => ''https://wso2.domain.net:9443/samlsso'',
                 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            ),
            'x509cert' =>  '-----Certificate-------------'
        ),
    );  

This is my PHP code (index.php) :

 1. 

    <?php 
    session_start(); define("TOOLKIT_PATH",
        '/var/www/html/ssowebapp/php-saml-master/');  
        require_once(TOOLKIT_PATH.'_toolkit_loader.php');  
        require_once(TOOLKIT_PATH.'demo1/settings.php');

        $auth = new OneLogin_Saml2_Auth($settingsInfo); $requestId=null; if
        (isset($_GET['sso'])) {    // SSO action.  Will send an AuthNRequest
        to the IdP
            $auth->login(); } else if (isset($_GET['sso2'])) {              
            $returnTo = $spBaseUrl.'/demo1/attrs.php';  
            $auth->login($returnTo); } else if (isset($_GET['slo'])) {  
            $auth->logout(); } else if (isset($_GET['acs'])) {  
             $auth->processResponse();      
              $_SESSION['samlSessionIndex']         =  $auth->getSessionIndex();
              $_SESSION['samlNameId']               =    $auth->getNameId();
              $_SESSION['samlNameIdFormat']          = $auth->getNameIdFormat();
              $_SESSION['samlNameIdNameQualifier']   =  $auth->getNameIdNameQualifier();
              $_SESSION['samlNameIdSPNameQualifier'] = $auth->getNameIdSPNameQualifier();
               $_SESSION['LogoutRequestID'] =   $auth->getLastRequestID();
             $errors = $auth->getErrors();  
            if (!empty($errors)) {
                echo '<p>', implode(', ', $errors), '</p>';
            }

        if (!$auth->isAuthenticated()) {      
                echo "<p>Not authenticated</p>";  
                exit();
            }
            $_SESSION['samlUserdata'] = $auth->getAttributes(); 
            if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) {
                $auth->redirectTo($_POST['RelayState']);  
            }                                              } else if (isset($_GET['sls'])) {       $auth->logout($returnTo, $paramters,
        $nameId, $sessionIndex, false, $nameIdFormat, $nameIdNameQualifier,
        $nameIdSPNameQualifier);

            $errors = $auth->getErrors(); 
            if (empty($errors)) {
                echo '<p>Sucessfully logged out</p>';
            } else {
                echo '<p>', implode(', ', $errors), '</p>';
            } } if (isset($_SESSION['samlUserdata'])) {      
            if (!empty($_SESSION['samlUserdata'])) {
                $attributes = $_SESSION['samlUserdata'];
                 //var_dump($auth->processResponse());
                echo 'You have the following attributes:<br>';
                echo '<table><thead><th>Name</th><th>Values</th></thead><tbody>';
                foreach ($attributes as $attributeName => $attributeValues) {
                    echo '<tr><td>' . htmlentities($attributeName) . '</td><td><ul>';
                    foreach ($attributeValues as $attributeValue) {
                        echo '<li>' . htmlentities($attributeValue) . '</li>';
                    }
                    echo '</ul></td></tr>';
                }
                echo '</tbody></table>';
            } else {                             // If there is not user data, we notify
                echo "<p>You don't have any attribute</p>";
            }

            echo '<p><a href="?slo" >Logout</a></p>'; // Print some links with possible } else {                                      
            echo '<p><a href="?sso" >Login</a></p>';
            echo '<p><a href="?sso2" >Login and access to attrs.php page</a></p>'; }

There is no problem during login with SSSO. But logout is not working. I have this error in WSO2 IS: [2020-03-24 12:04:46,385] [https://ssowebapp.domain.net/php-saml-master/demo1/index.php?sls] ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor} - No Established Sessions corresponding to Session Indexes provided. [2020-03-24 12:04:46,393] [https://ssowebapp.domain.net/php-saml-master/demo1/index.php?sls] WARN {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Redirecting to default logout page due to an invalid logout request

Community
  • 1
  • 1
devwinner
  • 1
  • Upon logout, WSO2 either refer to the 'samlssoTokenId' cookie in the logout request. or else the '' in the SAML logout request payload. Can you please check that, or provide the 'Cookie' header and the 'SAMLRequest' parameter of the request. WSO2 is referring to that value to identify the session created within WSO2 server. If that was not presented, logout would fail. This is just an initial point of failure. ā€“ Nipun Thathsara Mar 31 '20 at 12:17
  • As you are doing a SP initiated logout flow, must present in the request. Please check value of the logout request. Also verify that value with the value returned with the authentication response. (If the authentication response does not contain , you need to enable logout from the SAML service provider configuration in IS) ā€“ Thanuja Mar 31 '20 at 15:08

0 Answers0