IDP-initiated Logout not working

[alferca]

Login and sp-initiated logout seems working, although I can see some errors related with mcrypt in the log:
Function mcrypt_module_open() is deprecated at
/var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php#319

IDP-initiated Logout is not working.

How is affecting the mcrypt errors? is there some workaround, or is it going to be solved?

Thanks

Steps to reproduce

1. Log in with SSO/SAML
2. Start a IDP-initiated Logout
3. Check logout is effective

Expected behaviour

Logout initiated from idp should result in a correct logout from the SP ( nextcloud ) server.

Actual behaviour

logout message is not processed correctly by user_saml at SP ( nextcloud ) server

Server configuration

Operating system:
CentOS Linux release 7.4.1708 (Core)

Web server:
httpd-2.4.6-67.el7.centos.2.x86_64

Database:
mariadb-server-5.5.56-2.el7.x86_64

PHP version:
php71w-mysqlnd-7.1.9-2.w7.x86_64
mod_php71w-7.1.9-2.w7.x86_64
php71w-imap-7.1.9-2.w7.x86_64
php71w-pecl-imagick-3.4.3-1.w7.x86_64
php71w-pdo-7.1.9-2.w7.x86_64
php71w-mcrypt-7.1.9-2.w7.x86_64
php71w-cli-7.1.9-2.w7.x86_64
php71w-mbstring-7.1.9-2.w7.x86_64
php71w-pspell-7.1.9-2.w7.x86_64
php71w-ldap-7.1.9-2.w7.x86_64
php71w-pear-1.10.4-1.w7.noarch
php71w-common-7.1.9-2.w7.x86_64
php71w-xml-7.1.9-2.w7.x86_64
php71w-gd-7.1.9-2.w7.x86_64
php71w-process-7.1.9-2.w7.x86_64

Nextcloud version: (see Nextcloud admin page)

• version: 12.0.3.3

Where did you install Nextcloud from:
https://download.nextcloud.com/server/releases/nextcloud-12.0.3.zip

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• activity: 2.5.2
• bruteforcesettings: 1.0.2
• calendar: 1.5.5
• comments: 1.2.0
• dav: 1.3.0
• federatedfilesharing: 1.2.0
• federation: 1.2.0
• files: 1.7.2
• files_pdfviewer: 1.1.1
• files_sharing: 1.4.0
• files_texteditor: 2.4.1
• files_trashbin: 1.2.0
• files_versions: 1.5.0
• files_videoplayer: 1.1.0
• firstrunwizard: 2.1
• gallery: 17.0.0
• groupfolders: 1.1.0
• logreader: 2.0.0
• lookup_server_connector: 1.0.0
• nextcloud_announcements: 1.1
• notifications: 2.0.0
• oauth2: 1.0.5
• password_policy: 1.2.2
• provisioning_api: 1.2.0
• serverinfo: 1.2.0
• sharebymail: 1.2.0
• survey_client: 1.0.0
• systemtags: 1.2.0
• theming: 1.3.0
• twofactor_backupcodes: 1.1.1
• updatenotification: 1.2.0
• user_saml: 1.4.0
• workflowengine: 1.2.0
  Disabled:
• admin_audit
• encryption
• files_external
• user_external
• user_ldap

Nextcloud configuration:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"instanceid": "oceiqlv2uuy3",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"ibox.ific.uv.es",
"triki.ific.uv.es",
"wn158.ific.uv.es",
"kantele.ific.uv.es"
],
"log_type": "owncloud",
"logfile": "nextcloud.log",
"loglevel": "0",
"datadirectory": "/var/www/html/nextcloud/data",
"overwrite.cli.url": "http://ibox.ific.uv.es/nextcloud",
"dbtype": "mysql",
"version": "12.0.3.3",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true
}
}

Client configuration

Browser:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0

Operating system:
Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-93-generic x86_64)

Logs

Nextcloud log (data/owncloud.log)

Insert your Nextcloud log here

{"reqId":"WdIWtNeZC9@lWzos0mnQzQAAAA8","level":3,"time":"2017-10-02T10:36:36+00:00","remoteAddr":"147.156.52.141","user":"--","app":"PHP","method":"POST","url":"/nextcloud/index.php/apps/user_saml/saml/acs","message":"Function mcrypt_enc_get_iv_size() is deprecated at /var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php#320","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0","version":"12.0.3.3"}
{"reqId":"WdIWtNeZC9@lWzos0mnQzQAAAA8","level":3,"time":"2017-10-02T10:36:36+00:00","remoteAddr":"147.156.52.141","user":"--","app":"PHP","method":"POST","url":"/nextcloud/index.php/apps/user_saml/saml/acs","message":"Function mcrypt_generic_init() is deprecated at /var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php#325","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0","version":"12.0.3.3"}
{"reqId":"WdIWtNeZC9@lWzos0mnQzQAAAA8","level":3,"time":"2017-10-02T10:36:36+00:00","remoteAddr":"147.156.52.141","user":"--","app":"PHP","method":"POST","url":"/nextcloud/index.php/apps/user_saml/saml/acs","message":"Function mdecrypt_generic() is deprecated at /var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php#326","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0","version":"12.0.3.3"}
{"reqId":"WdIWtNeZC9@lWzos0mnQzQAAAA8","level":3,"time":"2017-10-02T10:36:36+00:00","remoteAddr":"147.156.52.141","user":"--","app":"PHP","method":"POST","url":"/nextcloud/index.php/apps/user_saml/saml/acs","message":"Function mcrypt_generic_deinit() is deprecated at /var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php#327","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0","version":"12.0.3.3"}
{"reqId":"WdIWtNeZC9@lWzos0mnQzQAAAA8","level":3,"time":"2017-10-02T10:36:36+00:00","remoteAddr":"147.156.52.141","user":"--","app":"PHP","method":"POST","url":"/nextcloud/index.php/apps/user_saml/saml/acs","message":"Function mcrypt_module_close() is deprecated at /var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php#328","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0","version":"12.0.3.3"}

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[S43534]

I have/had the same issue (with SimpleSAMLPHP as IdP). When debugging I found that Nextcloud was not sending a LogoutResponse to a LogoutRequest from the IdP.

I am far from being an expert in SAML, but for me the following solved the issue (apps/user_saml/lib/Controller/SAMLController.php):

public function singleLogoutService() {
    if(isset($_GET['SAMLRequest'])) {     // check if request comes from IdP
        $auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
        $this->userSession->logout();
        return $auth->processSLO();
    }
    else {
        if($this->request->passesCSRFCheck()) {
            $auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());

            $returnTo = null;
            $parameters = array();
            $nameId = $this->session->get('user_saml.samlNameId');
            $sessionIndex = $this->session->get('user_saml.samlSessionIndex');
            $this->userSession->logout();
            $targetUrl = $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, true);
        } else {
            $targetUrl = $this->urlGenerator->getAbsoluteURL('/');
        }

        return new Http\RedirectResponse($targetUrl);
    }
}

Someone with knowledge should check this and implement it.

Best regards
Sebastian

[ghost]

I am using Keycloak as IdP and I see the same problem. Instead of handling the logout request, user_saml redirects to / because of 082ae7f.
If I ignore the return value of passesCSRFCheck then the logout initiated by the IdP works fine.

How is this supposed to work correctly? Should the CSRF check not fail in that case? Or is ignoring the check right?

Can someone please look at this and suggest a proper fix?

[ghost]

Please, can some developer comment on how to fix this properly? I would be willing to help and test once it is clear what needs to be done.

@LukasReschke 082ae7f seems to have introduced this behavior. I don't really understand how this is supposed to work. Can you help?

[ghost]

This should be fixed by 3f64725

[PrivatePuffin]

@fri-sch Well I don't know if something else broke. But it isn't.
I don't even get how a logout request from the IDP would ever lead to a session being invalidated or closed. No session info is ever being extracted from the incoming logout request.

[Spacelord09]

Any updates to this?
I think I have the same Issue with keycloak.

If im going to logout from another application(Rocket.Chat) im getting the following error message from Nextcloud(that is also logged in):
The Message of the Logout Request is not signed and the SP require it

[PrivatePuffin]

@Spacelord09 considering my research in #455 and the 19(!) open PR's and 95(!) open Issues (which both barely get any response from Nextcloud, if at all), I think you know the answer.

Nextcloud dropped enterprise and paying customers (most of which also rely on SAML) in favor of contracts to implement all sorts of niche commercial services into Nextcloud.

[fschrempf]

Nextcloud dropped enterprise and paying customers (most of which also rely on SAML) in favor of contracts to implement all sorts of niche commercial services into Nextcloud.

Is this just your impression or do you have any sources to back these claims? I'm still wondering how all of these NC setups for public and private cloud infrastructure do authentication if even things like SAML don't work properly?

I fear quite a lot of concerns and questions I recently voiced for the groupfolders plugin, would also apply to user_saml.

One more thing to move even further off topic: Do you have any recommendations on alternative solutions for SSO authentication backends to use with NC and other web apps. I saw you use authelia on your domain. Do you use it with NC? How do you handle the user and group management?

[PrivatePuffin]

I spend days going through the code finding out why SAML SLO wasn't working.
The cause was quite clear, see my research in my own issue about this: They changed the authentication code for Nextcloud and neglected to update the SAML plugin (which would mean a mostly complete rewrite of the plugin)

So considering they wanted to push changes and not update a quite relevant enterprise feature like SAML (or even care enough to update/maintain it at all), I can't come to any other conclusion than they dropped enterprise support. As they did implement all sorts of medium-relevance crap in the mean time.

anyhow, offtopic:
I use authelia for all non-nextcloud applications and sync both using ldap. No SLO though (sadly enough)

[patschi]

When clicking on Show optional Identity Provider settings you can set URL Location of the IdP where the SP will send the SLO Request. I've set this to https://adfs.domain.tld/adfs/ls/?wa=wsignout1.0 and I'm able to logout now just fine.

[PrivatePuffin]

When clicking on Show optional Identity Provider settings you can set URL Location of the IdP where the SP will send the SLO Request. I've set this to https://adfs.domain.tld/adfs/ls/?wa=wsignout1.0 and I'm able to logout now just fine.

Thats not IDP-initiated SLO, thats SLO.
IDP-initiated SLO is when an application sends an SLO request to the IDP, which then sends SLO requests to other applications (such as nextcloud).

Nextcloud only respects SLO when it is the application to send the SLO request, but it doesn't work when the IDP initiates the SLO.

When responding to issues, it's important you understand what people are talking about, before saying you have no issues. Because in this case your comment would not be needed if you asked what "IDP initiated SLO" means before ignoring that part of the Issue report ;-)

[Spacelord09]

It's been 3 years since I asked for an update.. Very professional..

[PrivatePuffin]

@Spacelord09 I stopped using Nextcloud for this reason.
Their definition of enterprise grade software is... weird.