Univention Bugzilla – Bug 49532
Rocket.Chat: SAML Logout after using rocket.chat causes SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Last modified: 2022-07-12 15:59:46 CEST
UCS: 4.4-0 errata113 Installed: 4.3/rocketchat=1.0.3 (from Test App Center) Steps to reproduce: 1) Create a new user in UCS, no admin user. No SAML service providers added. 2) Logout from UCS 3) Login with the newly created user. 4) Go to the portal page and click logout. 5) A simpleSAMLphp error page with the below listed traceback comes up. SimpleSAML_Error_Error: UNHANDLEDEXCEPTION Backtrace: 1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Missing status code on response. Backtrace: 5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/StatusResponse.php:68 (SAML2_StatusResponse::__construct) 4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/LogoutResponse.php:17 (SAML2_LogoutResponse::__construct) 3 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:543 (SAML2_Message::fromXML) 2 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:121 (SAML2_HTTPRedirect::receive) 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:488 (sspmod_saml_IdP_SAML2::receiveLogoutMessage) 0 /usr/share/simplesamlphp/www/saml2/idp/SingleLogoutService.php:23 (N/A) This error is annoying and disturbs the user experience with Single Sign-On and other apps. The next update of Rocket.Chat comes with SAML pre-configured, but deactivated. After a SAML Login, either via UCS oder Rocket.Chat, the SAML session can not be quit. The user has to wait for the session timeout.
I have the same issue in a demo environment. Seems to be a generic issue.
OK, happens only if the authenticated user uses rocket.chat based on SAML. So this is not a generic issue (it doesn't happen if the user authenticates in UMC using SAML).
Based on the last comment i suspect that Rocket.Chat sends a malformed saml message to our IdP.
If possible, we should check if the message is logged in /var/log/syslog before the traceback occurs with an increased loglevel: ucr set saml/idp/log/debug/enabled=TRUE saml/idp/log/level=DEBUG
Here some more debug: Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Saved state: '_6d4c5e8068218d29917f3d0bf55dd930459803099c' Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Session: Valid session found with 'univention-ldap'. Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Session: doLogout('univention-ldap') Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Session: 'univention-ldap' not valid because we are not authenticated. Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet' Jun 11 08:03:34 demo3 simplesamlphp[9344]: 4 [f3bb79ddb3] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'. Jun 11 08:03:34 demo3 simplesamlphp[9344]: 6 [f3bb79ddb3] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet' Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Received message: Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns0:LogoutRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Destination="https://demo3.sovereignit.de/simplesamlphp/saml2/idp/SingleLogoutService.php" ID="id-TxQwdN0LyHRrno4Jb" IssueInstant="2020-06-11T06:03:34Z" Reason="" Version="2.0"> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo3.sovereignit.de/univention/saml/metadata</ns1:Issuer> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:Signature Id="Signature1"> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:SignedInfo> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:Reference URI="#id-TxQwdN0LyHRrno4Jb"> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:Transforms> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns2:Transforms> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:DigestValue>BSBTNSuvN+GJ/ARE9Z8AzE92tPg=</ns2:DigestValue> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns2:Reference> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns2:SignedInfo> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:SignatureValue>KHvwloTIpkhKsiYGrQevI5ss+ckG9l+z8mFVckuO6tumGKf0hVc1H0gQ9A8BgV0c Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] PhzvbY/BEdN4xisoUBnxFO8T8+lZz9FesxroNUScTf9/Db+C4hR9/qcQZ3RTMQQ3 Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] 3923Fjykq/jq2CtFwKO0HgItId9Fecv5dSnjpXTw13Qxn02oMVW0mNU6Kk76dLxr Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] En6zqVvqJxghbqc8m0msAOTq7Tot+auNZKEYKWEu0ufJ3mu8XbIOOeSMF3zlapL3 Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] 7fobByTklWgRmCpUG+Fc8xfna83dQMeaBobKm7IwhnaEPtLjdwxr3DrZyV+BvXw4 Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] WIREnpsp6evPMSpL7bkkxQ==</ns2:SignatureValue> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:KeyInfo> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:X509Data> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns2:X509Certificate>MIIE/jCCA+agAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTELMAkGA1UEChMCREUxJDAiBgNVBAsTG1VuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlcjE6MDgGA1UEAxMxVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyIFJvb3QgQ0EgKElEPXJjam5ka1dhKTETMBEGCSqGSIb3DQEJARYEc3NsQDAeFw0yMDA2MTAxMjM3MzFaFw0yNTA2MDkxMjM3MzFaMIGOMQswCQYDVQQGEwJERTELMAkGA1UECBMCREUxCzAJBgNVBAcTAkRFMQswCQYDVQQKEwJERTEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMR0wGwYDVQQDExRkZW1vMy5zb3ZlcmVpZ25pdC5kZTETMBEGCSqGSIb3DQEJARYEc3NsQDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKySIRS4soUIB7FtrfaZtJh/MqZnJvUAlWgdTCPLoP6ksDE16vUW7GnEiIOoZEeWAuY92UQ4xtsQBWdeouUOn4INmEemRl7ziYuu19la1AOt1FhsLLBZkeonpurznXwBAhjk2bBC/1JwPRZKqUf1hS08RaQA5hCscAJ2Nn80LmnvexHYWGP9qkYyoctVDDQ44kIjb4mxFs/P19a8gBr5mJrJjwtAOjlDBtPMx3SPRPhA61Bu0B8XgMi/POpjo7sXQ2jS/1gRX2L99djKeUdEe+aZSGt05hRCrLewg9thEoDAMFUkeRuYoK9iMjh3fe0xZoWS4rzdmu7UdmzcQN5ylSkCAwEAAaOCAUYwggFCMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBf8WqBW5e2twZAvObD3ASUg61PHMIHgBgNVHSMEgdgwgdWAFFjZARYuVs46+SYRbphfAmMxvnr8oYGxpIGuMIGrMQswCQYDVQQGEwJERTELMAkGA1UECBMCREUxCzAJBgNVBAcTAkRFMQswCQYDVQQKEwJERTEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9cmNqbmRrV2EpMRMwEQYJKoZIhvcNAQkBFgRzc2xAggkAjQdjsrHT8DowCwYDVR0PBAQDAgXgMCYGA1UdEQQfMB2CFGRlbW8zLnNvdmVyZWlnbml0LmRlggVkZW1vMzANBgkqhkiG9w0BAQsFAAOCAQEAe1SruOEZnrt3uz2XoKQnXE1CGBPl1DU9leCg3Jt+DTfVhNufquzLiilLj6NQ1KjIWlUVxrw9I4JsE6kRE6gAAq9fcI4EAPuL2urHoJZ5HygrEPSajei8WPteR0i9y+K4WbEr4zabUtZ7jj4utZeXg3t9R3S+2ydMdnjj7/s8TxqIg5KMwyYa2OFT+55Ii0lZhuM3YqH2z0efyZ2LJZVf1M2wwz+O26tkNTuyQhxr6JwnmXwd383Do+dhzRCq23TqYINBvzuViq4zIZIz+LwCO21Gf2HHuyk2z/eSIek9it6aalcqHx+EjpyDmgLej1RZD+CLugzuX9JlJW3zSonVoA==</ns2:X509Certificate> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns2:X509Data> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns2:KeyInfo> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns2:Signature> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="https://demo3.sovereignit.de/univention/saml/metadata">_f06e2af2af8f9245d0a8252ac388e08afea673e26a</ns1:NameID> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns0:LogoutRequest> Jun 11 08:03:34 demo3 simplesamlphp[9344]: 6 [f3bb79ddb3] Received SAML 2.0 LogoutRequest from: 'https://demo3.sovereignit.de/univention/saml/metadata' Jun 11 08:03:34 demo3 simplesamlphp[9344]: 5 STAT [f3bb79ddb3] saml20-idp-SLO spinit https://demo3.sovereignit.de/univention/saml/metadata https://demo3.sovereignit.de/simplesamlphp/saml2/idp/metadata.php Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] loading key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 from memcache Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] saving key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 to memcache Jun 11 08:03:34 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true Jun 11 08:03:34 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet' Jun 11 08:03:34 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Saved state: '_6d4c5e8068218d29917f3d0bf55dd930459803099c' Jun 11 08:03:34 demo3 simplesamlphp[9345]: 6 [f3bb79ddb3] Logging out of 'saml:https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS'. Jun 11 08:03:34 demo3 simplesamlphp[9345]: 6 [f3bb79ddb3] Sending SAML 2.0 LogoutRequest to: 'https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS' Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Sending message: Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_966e0deac221a887e347e954cffcb7e23359fd1f39" Version="2.0" IssueInstant="2020-06-11T06:03:34Z" Destination="https://demo3.sovereignit.de/rocketchat/_saml/logout/UCS" NotOnOrAfter="2020-06-11T06:08:35Z"> Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] <saml:Issuer>https://demo3.sovereignit.de/simplesamlphp/saml2/idp/metadata.php</saml:Issuer> Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] <saml:NameID SPNameQualifier="https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">christian.cux@sovereignit.de</saml:NameID> Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] <samlp:SessionIndex>_d7bb493416ca2cb269dee8523d55e9085f7403a3f0</samlp:SessionIndex> Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] </samlp:LogoutRequest> Jun 11 08:03:35 demo3 simplesamlphp[9345]: 4 [f3bb79ddb3] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'. Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Loading state: '_6d4c5e8068218d29917f3d0bf55dd930459803099c' Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] loading key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 from memcache Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] saving key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 to memcache Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Localization: using old system Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Template: Reading [/usr/share/simplesamlphp/dictionaries/errors] Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] /simplesamlphp/saml2/idp/SingleLogoutService.php - Template: Could not find template file [error.php] at [/usr/share/simplesamlphp/modules/univentiontheme/themes/univention/default/error.php] - now trying the base template Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] saving key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 to memcache Jun 11 08:03:35 demo3 simplesamlphp[9346]: 4 [f3bb79ddb3] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'. Jun 11 08:03:35 demo3 simplesamlphp[9346]: 6 [f3bb79ddb3] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet' Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Received message: Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_id-b80bfac20f7b041a1667" Version="2.0" IssueInstant="2020-06-11T06:03:35.103Z" Destination="https://demo3.sovereignit.de/simplesamlphp/saml2/idp/SingleLogoutService.php"> Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS</saml:Issuer> Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] </samlp:LogoutResponse> Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Backtrace: Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 1 /usr/share/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 0 [builtin] (N/A) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Caused by: Exception: Missing status code on response. Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Backtrace: Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/StatusResponse.php:70 (SAML2\StatusResponse::__construct) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/LogoutResponse.php:19 (SAML2\LogoutResponse::__construct) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 3 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:574 (SAML2\Message::fromXML) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 2 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:125 (SAML2\HTTPRedirect::receive) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:544 (sspmod_saml_IdP_SAML2::receiveLogoutMessage) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 0 /usr/share/simplesamlphp/www/saml2/idp/SingleLogoutService.php:23 (N/A) Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Error report with id 7165479f generated. Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] loading key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 from memcache
UCS IDP redirects to: https://xxx/rocketchat/_saml/logout/UCS? With SAMLRequest=: <?xml version="1.0" ?> <ns0:LogoutRequest Destination="https://xxx/rocketchat/_saml/logout/UCS" ID="_dc3847199329ab2e7d979c93af002e7f7dcfddaf95" IssueInstant="2020-06-11T07:23:02Z" NotOnOrAfter="2020-06-11T07:28:02Z" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"> <ns1:Issuer>https://xxx/simplesamlphp/saml2/idp/metadata.php</ns1:Issuer> <ns1:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="https://xxx/rocketchat/_saml/metadata/UCS">anna.alster@xxx</ns1:NameID> <ns0:SessionIndex>_efcb533a5312aa5c5ede3b42c0a536e0f1d740a033</ns0:SessionIndex> </ns0:LogoutRequest> Then Rocket Chat redirects back to the IDP: <?xml version="1.0" ?> <ns0:LogoutResponse Destination="https://xxx/simplesamlphp/saml2/idp/SingleLogoutService.php" ID="_id-4b563e0a78d778eb3f28" IssueInstant="2020-06-11T07:23:02.504Z" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"> <ns1:Issuer>https://xxx/rocketchat/_saml/metadata/UCS</ns1:Issuer> <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </ns0:LogoutResponse> Which is missing InResponseTo="_dc3847199329ab2e7d979c93af002e7f7dcfddaf95". And the XML structure is also broken, because the samlp:StatusCode is not enclosed in samlp:Status. Patch: --- /app/bundle/programs/server/app/app.js.org 2020-06-11 11:05:02.136000000 +0200 +++ /app/bundle/programs/server/app/app.js 2020-06-11 11:15:20.916000000 +0200 @@ -126368,6 +126368,7 @@ response } = _saml.generateLogoutResponse({ nameID: result.nameID, + ID: result.ID, sessionIndex: result.idpSession }); @@ -126669,10 +126670,10 @@ return request; }; -SAML.prototype.generateLogoutResponse = function () { +SAML.prototype.generateLogoutResponse = function (options) { const id = "_".concat(this.generateUniqueID()); const instant = this.generateInstant(); - const response = "".concat('<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ' + 'ID="').concat(id, "\" ") + 'Version="2.0" ' + "IssueInstant=\"".concat(instant, "\" ") + "Destination=\"".concat(this.options.idpSLORedirectURL, "\" ") + '>' + "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">".concat(this.options.issuer, "</saml:Issuer>") + '<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>' + '</samlp:LogoutResponse>'; + const response = "".concat('<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ' + (options.ID ? 'InResponseTo="' + options.ID + '" ' : '') + 'ID="').concat(id, "\" ") + 'Version="2.0" ' + "IssueInstant=\"".concat(instant, "\" ") + "Destination=\"".concat(this.options.idpSLORedirectURL, "\" ") + '>' + "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">".concat(this.options.issuer, "</saml:Issuer>") + '<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' + '</samlp:LogoutResponse>'; debugLog('------- SAML Logout response -----------'); debugLog(response); return { @@ -126888,9 +126889,11 @@ const nameIdNode = request.getElementsByTagName('saml:NameID')[0]; const idpSession = sessionNode.childNodes[0].nodeValue; const nameID = nameIdNode.childNodes[0].nodeValue; + const ID = request.getAttribute('ID'); return callback(null, { idpSession, - nameID + nameID, + ID }); } catch (e) { debugLog("Caught error: ".concat(e));
I created a Pull Request at RocketChat: https://github.com/RocketChat/Rocket.Chat/pull/17879
(In reply to Florian Best from comment #7) > Which is missing InResponseTo="_dc3847199329ab2e7d979c93af002e7f7dcfddaf95". The missing InResponeTo is still a problem when logging out. But it is still not a UCS issue -> Retagging development internal <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_ab10f9cb5eee19ee88bbe116324feb1b0cb85557ef" Version="2.0" IssueInstant="2022-07-12T13:28:17.838Z" Destination=" https://customer.fqdn/simplesamlphp/saml2/idp/SingleLogoutService.php" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://customer.fqdn/_saml/metadata/univention</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> </samlp:LogoutResponse>
Rocketchat version 4.8.1