saml icon indicating copy to clipboard operation
saml copied to clipboard
verified publisher icon crewjam

Logout response validation failed with Authentication failed error

Open alexanderzobnin opened this issue 2 years ago • 2 comments

When single logout is enabled, SP fails to perform logout with error Authentication failed. I tried to debug and found that error is happening in ValidateLogoutResponseRedirect(). It returns errors like invalid character entity &d (no semicolon) or invalid UTF-8. After some investigation, I've found that it's related to compressed response. Error happens here:

https://github.com/crewjam/saml/blob/2aeb2efd8c405fb7b40aa75b591b0828ef552670/service_provider.go#L1538

rawResponseBuf contains compressed bytes and should be deflate first. In previous versions it was correct:

https://github.com/crewjam/saml/blob/5e0ffd290abf0be7dfd4f8279e03a963071544eb/service_provider.go#L1561

where gr is deflated string:

https://github.com/crewjam/saml/blob/5e0ffd290abf0be7dfd4f8279e03a963071544eb/service_provider.go#L1538

So I think the fix is pretty straightforward.

alexanderzobnin avatar Feb 02 '23 15:02 alexanderzobnin

@alexanderzobnin, is it because of this that the trivial example http://localhost:8000/logout endpoint ends up redirecting to http://localhost:8000/saml/slo and returning a 404?

rgl avatar Feb 04 '23 00:02 rgl

@rgl not sure, error here is happening during logout response processing, so it should not end up with 404, but with error ("Authentication failed").

alexanderzobnin avatar Feb 06 '23 08:02 alexanderzobnin