We implemented the complete login and logout flow with a Shibboleth IdP. Now we are working on the last missing step, the IdP-initiated logout. Shibboleth sends a logout request, which is valid according to RubySAML. However, RubySAML does not provide a nameId, so it is unclear which user should be logged out.
The nameId is transmitted by the IdP in encrypted form. The keys needed for decryption are all passed along.
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
params[:SAMLRequest], settings: saml_settings
)
if !logout_request.is_valid?
return render :inline => logger.error
else
pp logout_request
# prints the logout a request containg the config with all necessary keys and the provided saml2p:LogoutRequest containg the name id encrypted in an <saml2:EncryptedID> element
end
logger.info "IdP initiated Logout for #{logout_request.name_id}"
# prints: "IdP initiated Logout for "
# Generate a response to the IdP.
logout_request_id = logout_request.id
logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(saml_settings, logout_request_id)
redirect_to logout_response
We implemented the complete login and logout flow with a Shibboleth IdP. Now we are working on the last missing step, the IdP-initiated logout. Shibboleth sends a logout request, which is valid according to RubySAML. However, RubySAML does not provide a nameId, so it is unclear which user should be logged out.
The nameId is transmitted by the IdP in encrypted form. The keys needed for decryption are all passed along.