SP = SimpleSAMLphp ServiceProvider web interface

1. Case "Logout on IdP does not log out on Wiki, but only on SP": Well, die SP code does not destroy the Wiki user session automatically and I actually don't know how to implement that. We can not ask the SP at any "UserLoadFromSession" if he is still logged into the SP, @ccicalese, can we?
2. Case "Logout on Wiki does not log out on IdP": That's strange, as the MediaWiki extension should call the logout method on the SP code. Does it log out on the SP? Is there a error message in any of the logs?

2. Actually the browser calls the logout method, but the HTTP-Method is "OPTION" not "GET". The MW displays "Cannot log out now: http" - I don't see any other log entries. It does not log out on the SP either.

These are the two requests: (I had to remove the query parameter)

--Request Header: SimpleSAML UI (SP) which works --


GET /c/portal/saml/slo?SAMLRequest=... HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:81/simplesaml/module.php/core/authenticate.php?as=default-sp
Connection: keep-alive
Cookie: JSESSIONID=4FDCA8C983EE6311C41BAB98D3F7FF17; COOKIE_SUPPORT=true; LFR_SESSION_STATE_20119=1582886908384; LFR_SESSION_STATE_20155=expired; GUEST_LANGUAGE_ID=de_DE; COMPANY_ID=20115; ID=73414b483532545a666f56436b663161397a6a5977773d3d; SAML_SSO_SESSION_ID=_9c9d92b68106500fc28a81f684dd69aa68fda9069323ae710b5a74da1f4f
Upgrade-Insecure-Requests: 1



--Request Header: Media Wiki --

OPTIONS /c/portal/saml/slo?SAMLRequest=... HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
Referer: http://127.0.0.1/index.php/Hauptseite
Origin: http://127.0.0.1
Connection: keep-alive

Interesting. No idea at the moment. I'd need to dig deeper, but I won't have the time for it right now.

Regarding #2: This may be unrelated but there is a similar issue _without_ SAML: T227621

In T246350#5926097, @Osnard wrote:

1. Case "Logout on IdP does not log out on Wiki, but only on SP": Well, die SP code does not destroy the Wiki user session automatically and I actually don't know how to implement that. We can not ask the SP at any "UserLoadFromSession" if he is still logged into the SP, @ccicalese, can we?

No, we cannot. The only time I've seen something similar done was for an SP that was aware of the wiki login and would issue a redirect to Special:Userlogout on SP logout. But, that was a unique situation which is unlikely to be generally useful.

@Markus.T Did you happen to find a solution for this? I'm running into the same issue on my Wiki + SimpleSAML setup.

@Ajjithu Unfortunately not.

Anyone found how to fix this yet?

Current WIP commit https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SimpleSAMLphp/+/903248

Apparently we can not allow backchannel logout when "local login" is enabled

Change 903591 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/extensions/SimpleSAMLphp@master] Add support for IdP induced SLO (Opt.2)

https://gerrit.wikimedia.org/r/903591

Change 903558 had a related patch set uploaded (by ItSpiderman; author: Robert Vogel):

[mediawiki/extensions/SimpleSAMLphp@REL1_39] Add support for IdP induced SLO (Opt.2)

https://gerrit.wikimedia.org/r/903558

Change 903558 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@REL1_39] Add support for IdP induced SLO (Opt.2)

https://gerrit.wikimedia.org/r/903558

Change 903591 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@master] Add support for IdP induced SLO (Opt.2)

https://gerrit.wikimedia.org/r/903591