Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLO request doesn't kill session user #90

Open
jgribonvald opened this issue May 14, 2020 · 2 comments
Open

SLO request doesn't kill session user #90

jgribonvald opened this issue May 14, 2020 · 2 comments
Assignees
Labels

Comments

@jgribonvald
Copy link

Describe the bug
When a SAML SLO request is sent by the CAS server to nextcloud, the user session isn't killed whereas the request goes well when activating phpCAS logs. We can see the SAML request as intercepted and without problem of configuration as it's not rejected.

To Reproduce
Steps to reproduce the behavior:

  1. Connect to nextcloud with CAS
  2. Do a logout from CAS and wait the log of the SAML logout request on PHPcas
  3. Refresh the nextcloud UI
  4. See that the user is still connected

Software (please complete the following information):

  • Server-OS: Debian 9
  • HTTP-Server Version: Apache 2.4.0
  • PHP-Version: PHP 7.0
  • phpCAS-Library-Version: phpCAS 1.3.8
  • ownCloud/Nextcloud Version 18.0.4
  • user_cas-Version: user_cas 1.8.5
@jgribonvald
Copy link
Author

We've found from where the problem is coming: https://github.com/felixrupp/user_cas/blob/master/lib/Service/AppService.php#L903

The NameID with CAS is not provided (or as @NOT_USED@), did you test with a "standard" CAS ? You should use the samlp:SessionIndex to have a mapping with the ST provided at the session init and the session end.

@felixrupp felixrupp self-assigned this May 27, 2020
@felixrupp felixrupp added the bug label May 27, 2020
@felixrupp felixrupp added this to the 1.8 milestone May 27, 2020
@felixrupp
Copy link
Owner

Hi @jgribonvald
I see the problem, the point is: without saving and mapping the CAS SessionIndex to the ownCloud/Nextcloud session in the ownCloud/Nextcloud database, there is no other way to match a CAS-session to an ownCloud/Nextcloud session than the user-/login-name.

@pingou2712’s Pull-request solves this issue, but has major changes in source code, which I can not test at the moment. This is why I hesitate to accept the pull-request. You are still free to use the changes of @pingou2712 and test, if it works for yourself.

I’m still open for approaches and/or ideas.

Best regards,
Felix

@felixrupp felixrupp removed this from the 1.8 milestone Jul 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants