How to create a LogoutResponse in SP?

[bc-asingh]

Hi,

I am trying to implement SLO in our SP. If some other SP in the Idp's session has requested logout, How do we send a LogoutResponse back to Idp? strategy.logout() always seems to be sending a LogoutRequest. So, How to generate a LogoutResponse?

[srd90]

@attindersingh90 passport-saml generates LogoutResponse for incoming LogoutRequest if handling of incoming LogoutRequest is delegated to passport-saml's implementation, BUT

You do NOT want to use passport-saml's implementation because it shall always report success even if session was not terminated (and most of the times sessions are not terminated at all due how browsers handle 3rd party cookies nowadays).

For further information see issue #419 .

You might also want to check PR #619 's discussions.

So what are your options? To implement whole SLO stuff on your own (returning proper LogoutResponse is trivial after you have done that) or wait that someone comes up with a fix for #419

Some evaka project ended up writing own implementation for SLO (see espoon-voltti/evaka#738 ) which might work but license of the implementation seems to be LGPL 2.1

[bc-asingh]

@srd90 Thanks for getting back to me. Can we send back LogoutResponse with v2? I couldn't find any documentation. Could you redirect me to one.

Also another question this response needs to be signed before being sent to IdP. Where do we get the key from to sign it? Does IdP share their private key? This looks weird.

Or is it our SP's private key? If so how do we add our cert in Idp. I am using auth0 and there isn't any filed. Is there supposed to be one.

[srd90]

for the record @attindersingh90 's answer above was actually comment to suggested answer: #622 (comment)

Can we send back LogoutResponse with v2?

I don't know what you mean with v2. If you are referring to https://github.com/node-saml/passport-saml2 the answer is no. It has same issue relating to SLO implementation as https://github.com/node-saml/passport-saml has (#419) up to and including current master version. passport-saml2 was fork of passport-saml. It (passport-saml2) had another approach to typescript etc. stuff. NOTE: passport-saml2 is now in archived state.

I couldn't find any documentation. Could you redirect me to one.

There aren't any. If you want to learn how passport-saml's SLO (LogoutRequest processing) work put your finger to this line (link refers to passport-saml's version 3.1.1 because < 3.x. versions contains all relevant stuff without having to clone also node-saml/node-saml repo):

passport-saml/src/passport-saml/strategy.ts

Line 70 in a3174b4

return this._saml.getLogoutResponseUrl(profile, RelayState, options, redirectIfSuccess);

and reverse engineer from there (it also helps if you know SAML SLO signalling flows).

Issue's #419 bug demonstration snippet contains same information from client application point-of-view.

Also another question this response needs to be signed before being sent to IdP. Where do we get the key from to sign it? Does IdP share their private key?

No, they do not share their private key. That is the point of PKI. Private key stays private.

Or is it our SP's private key?

Yes. SP signs stuff with its own private key.

If so how do we add our cert in Idp.

You either provision your SP cert to IdP via some proprietary interface or your IdP autoprovisions SAML SP metadata (which contain SP's cert) from some URL you provide to it. SAML SP metada can be the one generated by passport-saml or you can create it manually and put available to your HTTP server as static xml file.

What ever you end up doing remember that at the moment passport-saml and passport-saml2's internal LogoutRequest processing implementation contains vulnerability (end user's session at your application is not terminated even though passport-samland passport-saml2 report success).