Bug 49532 - Rocket.Chat: SAML Logout after using rocket.chat causes SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Rocket.Chat: SAML Logout after using rocket.chat causes SimpleSAML_Error_Erro...
Status: NEW
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
https://github.com/RocketChat/Rocket....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-22 14:50 CEST by Nico Gulden
Modified: 2022-07-12 15:59 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022070721000117
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Gulden univentionstaff 2019-05-22 14:50:36 CEST
UCS: 4.4-0 errata113
Installed: 4.3/rocketchat=1.0.3 (from Test App Center)

Steps to reproduce:

1) Create a new user in UCS, no admin user. No SAML service providers added.
2) Logout from UCS
3) Login with the newly created user.
4) Go to the portal page and click logout.
5) A simpleSAMLphp error page with the below listed traceback comes up.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Missing status code on response.
Backtrace:
5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/StatusResponse.php:68 (SAML2_StatusResponse::__construct)
4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/LogoutResponse.php:17 (SAML2_LogoutResponse::__construct)
3 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:543 (SAML2_Message::fromXML)
2 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:121 (SAML2_HTTPRedirect::receive)
1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:488 (sspmod_saml_IdP_SAML2::receiveLogoutMessage)
0 /usr/share/simplesamlphp/www/saml2/idp/SingleLogoutService.php:23 (N/A)


This error is annoying and disturbs the user experience with Single Sign-On and other apps. The next update of Rocket.Chat comes with SAML pre-configured, but deactivated. After a SAML Login, either via UCS oder Rocket.Chat, the SAML session can not be quit. The user has to wait for the session timeout.
Comment 2 Ingo Steuwer univentionstaff 2019-06-27 15:46:27 CEST
I have the same issue in a demo environment. Seems to be a generic issue.
Comment 3 Ingo Steuwer univentionstaff 2019-06-27 15:51:39 CEST
OK, happens only if the authenticated user uses rocket.chat based on SAML. So this is not a generic issue (it doesn't happen if the user authenticates in UMC using SAML).
Comment 4 Erik Damrose univentionstaff 2019-06-27 15:55:16 CEST
Based on the last comment i suspect that Rocket.Chat sends a malformed saml message to our IdP.
Comment 5 Erik Damrose univentionstaff 2019-06-27 15:58:32 CEST
If possible, we should check if the message is logged in /var/log/syslog before the traceback occurs with an increased loglevel: ucr set saml/idp/log/debug/enabled=TRUE saml/idp/log/level=DEBUG
Comment 6 Stefan Gohmann univentionstaff 2020-06-11 08:05:22 CEST
Here some more debug:

Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Saved state: '_6d4c5e8068218d29917f3d0bf55dd930459803099c'
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Session: Valid session found with 'univention-ldap'.
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Session: doLogout('univention-ldap')
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Session: 'univention-ldap' not valid because we are not authenticated.
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet'
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 4 [f3bb79ddb3] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 6 [f3bb79ddb3] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet'
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] Received message:
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] <ns0:LogoutRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Destination="https://demo3.sovereignit.de/simplesamlphp/saml2/idp/SingleLogoutService.php" ID="id-TxQwdN0LyHRrno4Jb" IssueInstant="2020-06-11T06:03:34Z" Reason="" Version="2.0">
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]   <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo3.sovereignit.de/univention/saml/metadata</ns1:Issuer>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]   <ns2:Signature Id="Signature1">
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]     <ns2:SignedInfo>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]       <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]       <ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]       <ns2:Reference URI="#id-TxQwdN0LyHRrno4Jb">
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]         <ns2:Transforms>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]           <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]           <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]         </ns2:Transforms>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]         <ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]         <ns2:DigestValue>BSBTNSuvN+GJ/ARE9Z8AzE92tPg=</ns2:DigestValue>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]       </ns2:Reference>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]     </ns2:SignedInfo>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]     <ns2:SignatureValue>KHvwloTIpkhKsiYGrQevI5ss+ckG9l+z8mFVckuO6tumGKf0hVc1H0gQ9A8BgV0c
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] PhzvbY/BEdN4xisoUBnxFO8T8+lZz9FesxroNUScTf9/Db+C4hR9/qcQZ3RTMQQ3
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] 3923Fjykq/jq2CtFwKO0HgItId9Fecv5dSnjpXTw13Qxn02oMVW0mNU6Kk76dLxr
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] En6zqVvqJxghbqc8m0msAOTq7Tot+auNZKEYKWEu0ufJ3mu8XbIOOeSMF3zlapL3
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] 7fobByTklWgRmCpUG+Fc8xfna83dQMeaBobKm7IwhnaEPtLjdwxr3DrZyV+BvXw4
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] WIREnpsp6evPMSpL7bkkxQ==</ns2:SignatureValue>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]     <ns2:KeyInfo>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]       <ns2:X509Data>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]         <ns2:X509Certificate>MIIE/jCCA+agAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTELMAkGA1UEChMCREUxJDAiBgNVBAsTG1VuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlcjE6MDgGA1UEAxMxVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyIFJvb3QgQ0EgKElEPXJjam5ka1dhKTETMBEGCSqGSIb3DQEJARYEc3NsQDAeFw0yMDA2MTAxMjM3MzFaFw0yNTA2MDkxMjM3MzFaMIGOMQswCQYDVQQGEwJERTELMAkGA1UECBMCREUxCzAJBgNVBAcTAkRFMQswCQYDVQQKEwJERTEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMR0wGwYDVQQDExRkZW1vMy5zb3ZlcmVpZ25pdC5kZTETMBEGCSqGSIb3DQEJARYEc3NsQDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKySIRS4soUIB7FtrfaZtJh/MqZnJvUAlWgdTCPLoP6ksDE16vUW7GnEiIOoZEeWAuY92UQ4xtsQBWdeouUOn4INmEemRl7ziYuu19la1AOt1FhsLLBZkeonpurznXwBAhjk2bBC/1JwPRZKqUf1hS08RaQA5hCscAJ2Nn80LmnvexHYWGP9qkYyoctVDDQ44kIjb4mxFs/P19a8gBr5mJrJjwtAOjlDBtPMx3SPRPhA61Bu0B8XgMi/POpjo7sXQ2jS/1gRX2L99djKeUdEe+aZSGt05hRCrLewg9thEoDAMFUkeRuYoK9iMjh3fe0xZoWS4rzdmu7UdmzcQN5ylSkCAwEAAaOCAUYwggFCMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBf8WqBW5e2twZAvObD3ASUg61PHMIHgBgNVHSMEgdgwgdWAFFjZARYuVs46+SYRbphfAmMxvnr8oYGxpIGuMIGrMQswCQYDVQQGEwJERTELMAkGA1UECBMCREUxCzAJBgNVBAcTAkRFMQswCQYDVQQKEwJERTEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9cmNqbmRrV2EpMRMwEQYJKoZIhvcNAQkBFgRzc2xAggkAjQdjsrHT8DowCwYDVR0PBAQDAgXgMCYGA1UdEQQfMB2CFGRlbW8zLnNvdmVyZWlnbml0LmRlggVkZW1vMzANBgkqhkiG9w0BAQsFAAOCAQEAe1SruOEZnrt3uz2XoKQnXE1CGBPl1DU9leCg3Jt+DTfVhNufquzLiilLj6NQ1KjIWlUVxrw9I4JsE6kRE6gAAq9fcI4EAPuL2urHoJZ5HygrEPSajei8WPteR0i9y+K4WbEr4zabUtZ7jj4utZeXg3t9R3S+2ydMdnjj7/s8TxqIg5KMwyYa2OFT+55Ii0lZhuM3YqH2z0efyZ2LJZVf1M2wwz+O26tkNTuyQhxr6JwnmXwd383Do+dhzRCq23TqYINBvzuViq4zIZIz+LwCO21Gf2HHuyk2z/eSIek9it6aalcqHx+EjpyDmgLej1RZD+CLugzuX9JlJW3zSonVoA==</ns2:X509Certificate>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]       </ns2:X509Data>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]     </ns2:KeyInfo>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]   </ns2:Signature>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3]   <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="https://demo3.sovereignit.de/univention/saml/metadata">_f06e2af2af8f9245d0a8252ac388e08afea673e26a</ns1:NameID>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] </ns0:LogoutRequest>
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 6 [f3bb79ddb3] Received SAML 2.0 LogoutRequest from: 'https://demo3.sovereignit.de/univention/saml/metadata'
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 5 STAT [f3bb79ddb3] saml20-idp-SLO spinit https://demo3.sovereignit.de/univention/saml/metadata https://demo3.sovereignit.de/simplesamlphp/saml2/idp/metadata.php
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] loading key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 from memcache
Jun 11 08:03:34 demo3 simplesamlphp[9344]: 7 [f3bb79ddb3] saving key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 to memcache
Jun 11 08:03:34 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true
Jun 11 08:03:34 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet'
Jun 11 08:03:34 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Saved state: '_6d4c5e8068218d29917f3d0bf55dd930459803099c'
Jun 11 08:03:34 demo3 simplesamlphp[9345]: 6 [f3bb79ddb3] Logging out of 'saml:https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS'.
Jun 11 08:03:34 demo3 simplesamlphp[9345]: 6 [f3bb79ddb3] Sending SAML 2.0 LogoutRequest to: 'https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS'
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Sending message:
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_966e0deac221a887e347e954cffcb7e23359fd1f39" Version="2.0" IssueInstant="2020-06-11T06:03:34Z" Destination="https://demo3.sovereignit.de/rocketchat/_saml/logout/UCS" NotOnOrAfter="2020-06-11T06:08:35Z">
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3]   <saml:Issuer>https://demo3.sovereignit.de/simplesamlphp/saml2/idp/metadata.php</saml:Issuer>
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3]   <saml:NameID SPNameQualifier="https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">christian.cux@sovereignit.de</saml:NameID>
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3]   <samlp:SessionIndex>_d7bb493416ca2cb269dee8523d55e9085f7403a3f0</samlp:SessionIndex>
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] </samlp:LogoutRequest>
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 4 [f3bb79ddb3] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] Loading state: '_6d4c5e8068218d29917f3d0bf55dd930459803099c'
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] loading key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 from memcache
Jun 11 08:03:35 demo3 simplesamlphp[9345]: 7 [f3bb79ddb3] saving key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 to memcache
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Localization: using old system
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Template: Reading [/usr/share/simplesamlphp/dictionaries/errors]
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] /simplesamlphp/saml2/idp/SingleLogoutService.php - Template: Could not find template file [error.php] at [/usr/share/simplesamlphp/modules/univentiontheme/themes/univention/default/error.php] - now trying the base template
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] saving key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 to memcache
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 4 [f3bb79ddb3] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 6 [f3bb79ddb3] SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Library - LDAP __construct(): Setup LDAP with host='ldap://demo3.sovereignit.de:7389', tls=true, debug=false, timeout=0, referrals=true
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Library - LDAP bind(): Bind successful with DN 'uid=sys-idp-user,cn=users,dc=sovereignit,dc=intranet'
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] Received message:
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_id-b80bfac20f7b041a1667" Version="2.0" IssueInstant="2020-06-11T06:03:35.103Z" Destination="https://demo3.sovereignit.de/simplesamlphp/saml2/idp/SingleLogoutService.php">
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3]   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo3.sovereignit.de/rocketchat/_saml/metadata/UCS</saml:Issuer>
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3]   <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] </samlp:LogoutResponse>
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Backtrace:
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 1 /usr/share/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 0 [builtin] (N/A)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Caused by: Exception: Missing status code on response.
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Backtrace:
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/StatusResponse.php:70 (SAML2\StatusResponse::__construct)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/LogoutResponse.php:19 (SAML2\LogoutResponse::__construct)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 3 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:574 (SAML2\Message::fromXML)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 2 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:125 (SAML2\HTTPRedirect::receive)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:544 (sspmod_saml_IdP_SAML2::receiveLogoutMessage)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] 0 /usr/share/simplesamlphp/www/saml2/idp/SingleLogoutService.php:23 (N/A)
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 3 [f3bb79ddb3] Error report with id 7165479f generated.
Jun 11 08:03:35 demo3 simplesamlphp[9346]: 7 [f3bb79ddb3] loading key simpleSAMLphp.session.0eebcf00f98cb54ff4098ed17969e9c6 from memcache
Comment 7 Florian Best univentionstaff 2020-06-11 11:19:56 CEST
UCS IDP redirects to: https://xxx/rocketchat/_saml/logout/UCS?
With SAMLRequest=:
<?xml version="1.0" ?>
<ns0:LogoutRequest Destination="https://xxx/rocketchat/_saml/logout/UCS" ID="_dc3847199329ab2e7d979c93af002e7f7dcfddaf95" IssueInstant="2020-06-11T07:23:02Z" NotOnOrAfter="2020-06-11T07:28:02Z" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
        <ns1:Issuer>https://xxx/simplesamlphp/saml2/idp/metadata.php</ns1:Issuer>
        <ns1:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" SPNameQualifier="https://xxx/rocketchat/_saml/metadata/UCS">anna.alster@xxx</ns1:NameID>
        <ns0:SessionIndex>_efcb533a5312aa5c5ede3b42c0a536e0f1d740a033</ns0:SessionIndex>
</ns0:LogoutRequest>

Then Rocket Chat redirects back to the IDP:
<?xml version="1.0" ?>
<ns0:LogoutResponse Destination="https://xxx/simplesamlphp/saml2/idp/SingleLogoutService.php" ID="_id-4b563e0a78d778eb3f28" IssueInstant="2020-06-11T07:23:02.504Z" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
        <ns1:Issuer>https://xxx/rocketchat/_saml/metadata/UCS</ns1:Issuer>
        <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</ns0:LogoutResponse>

Which is missing InResponseTo="_dc3847199329ab2e7d979c93af002e7f7dcfddaf95".
And the XML structure is also broken, because the samlp:StatusCode is not enclosed in samlp:Status.

Patch:

--- /app/bundle/programs/server/app/app.js.org  2020-06-11 11:05:02.136000000 +0200
+++ /app/bundle/programs/server/app/app.js      2020-06-11 11:15:20.916000000 +0200
@@ -126368,6 +126368,7 @@
               response
             } = _saml.generateLogoutResponse({
               nameID: result.nameID,
+             ID: result.ID,
               sessionIndex: result.idpSession
             });
 
@@ -126669,10 +126670,10 @@
   return request;
 };
 
-SAML.prototype.generateLogoutResponse = function () {
+SAML.prototype.generateLogoutResponse = function (options) {
   const id = "_".concat(this.generateUniqueID());
   const instant = this.generateInstant();
-  const response = "".concat('<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  ' + 'ID="').concat(id, "\" ") + 'Version="2.0" ' + "IssueInstant=\"".concat(instant, "\" ") + "Destination=\"".concat(this.options.idpSLORedirectURL, "\" ") + '>' + "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">".concat(this.options.issuer, "</saml:Issuer>") + '<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>' + '</samlp:LogoutResponse>';
+  const response = "".concat('<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ' + (options.ID ? 'InResponseTo="' + options.ID + '" ' : '') + 'ID="').concat(id, "\" ") + 'Version="2.0" ' + "IssueInstant=\"".concat(instant, "\" ") + "Destination=\"".concat(this.options.idpSLORedirectURL, "\" ") + '>' + "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">".concat(this.options.issuer, "</saml:Issuer>") + '<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' + '</samlp:LogoutResponse>';
   debugLog('------- SAML Logout response -----------');
   debugLog(response);
   return {
@@ -126888,9 +126889,11 @@
       const nameIdNode = request.getElementsByTagName('saml:NameID')[0];
       const idpSession = sessionNode.childNodes[0].nodeValue;
       const nameID = nameIdNode.childNodes[0].nodeValue;
+      const ID = request.getAttribute('ID');    
       return callback(null, {
         idpSession,
-        nameID
+        nameID,
+       ID
       });
     } catch (e) {
       debugLog("Caught error: ".concat(e));
Comment 8 Florian Best univentionstaff 2020-06-11 11:28:46 CEST
I created a Pull Request at RocketChat: https://github.com/RocketChat/Rocket.Chat/pull/17879
Comment 9 Erik Damrose univentionstaff 2022-07-12 15:59:26 CEST
(In reply to Florian Best from comment #7)
> Which is missing InResponseTo="_dc3847199329ab2e7d979c93af002e7f7dcfddaf95".

The missing InResponeTo is still a problem when logging out. But it is still not a UCS issue -> Retagging development internal

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      ID="_ab10f9cb5eee19ee88bbe116324feb1b0cb85557ef"
                      Version="2.0"
                      IssueInstant="2022-07-12T13:28:17.838Z"
                      Destination=" https://customer.fqdn/simplesamlphp/saml2/idp/SingleLogoutService.php"
                      >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://customer.fqdn/_saml/metadata/univention</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>
Comment 10 Erik Damrose univentionstaff 2022-07-12 15:59:46 CEST
Rocketchat version 4.8.1