Error on logout after upgrading to moodle 4.2 and saml2 plugin

[silviapinheiro]

What happened?

The user gets the following error after pressing logout button: Expected one of: "saml2". Got "saml1" (Please see image below)

This is what we see in the live Apache logs on the server, when logging IN/OUT, there's a 404

172.70.91.215 - - [17/Sep/2024:07:56:05 +0100] "POST /auth/saml2/sp/saml2-acs.php/training.ccea.org.uk HTTP/1.1" 303 736 172.70.91.215 - - [17/Sep/2024:07:56:05 +0100] "GET /login/index.php?saml=on HTTP/1.1" 303 1507 172.70.91.215 - - [17/Sep/2024:07:56:05 +0100] "GET /my/courses.php HTTP/1.1" 200 81664 172.70.91.215 - - [17/Sep/2024:07:56:06 +0100] "POST /lib/ajax/service.php?sesskey=KEZ0Mmd04W&info=media_videojs_get_language HTTP/1.1" 200 4531 141.101.99.206 - - [17/Sep/2024:07:56:06 +0100] "POST /lib/ajax/service.php?sesskey=KEZ0Mmd04W&info=local_edwiserreports_get_plugin_config HTTP/1.1" 200 52 141.101.99.206 - - [17/Sep/2024:07:56:06 +0100] "POST /lib/ajax/service.php?sesskey=KEZ0Mmd04W&info=local_edwiserreports_complete_edwiserreports_installation HTTP/1.1" 200 53 141.101.99.206 - - [17/Sep/2024:07:56:06 +0100] "POST /lib/ajax/service.php?sesskey=KEZ0Mmd04W&info=theme_remui_get_myoverviewcourses HTTP/1.1" 200 10604 141.101.99.205 - - [17/Sep/2024:07:56:18 +0100] "GET /login/logout.php?sesskey=KEZ0Mmd04W HTTP/1.1" 404 57723

We asked the company that provides the AD FS service to us for help debugging this and they can't see any communication on logout. I think maybe, there is something else that needs to be implemented in order for this to close the session properly and redirect the user back to login page. We are using SAML2 not 1 so why is it failing and pointing here: $logoutState = [ 'saml:logout:Type' => 'saml1', ]; \auth\saml2.extlib\simplesamlphp\modules\saml\src\Controller\ServiceProvider.php

We recently migrated to a new server: RHEL 9.4, moodle 4.2.9, auth_saml2: 2024071101

On the previous server, the logout seemed to be working as it would redirect the user but with further testing, we notice that the session was kept alive. Details of previous server: centos 7, moodle 4.1.9, auth_saml2: 2022111701

With similar MariaDB 10 and PHP 8.1

We have also tested Session Handling on moodle, using the timeout to make the user log again but only actually kills the session correctly for manual accounts. If we click on cancel to close the pop up and click back on something inside moodle, we can navigate again. So, that just finished the Moodle session, not the one related to SAML2.

Could someone point in the right direction to test this or implement something to help redirecting and kill the session correctly, sending the proper logout request?

What you expected: I expect the user to be redirected to the login page and the session is closed. So, if another user clicks the login button, he is prompted to login again, not being able to login through someone else's session.

[anrichp]

We have noticed this same issue on a Moodle instance that I manage. Moodle 4.1.13+ (Build: 20240910) auth_saml2: 2024071101

We make use of an alternative logout URL.

[cre-eledia]

Hi, will there be a fix for this issue?

[danmarsden]

Hi @cre-eledia - we do have SLO working on some of our clients sites and I don't recall seeing this issue on our end. There's probably something specific with the configuration of your IDP that is causing this. You would need to perform further investigation on your end and send us through a pull request with a fix if you would like it fixed in the plugin.

thanks!