Add SOAP binding method to SLO / Back channel logout

[schlupmann]

SLO has been implemented with HTTP-Redirect binding, but SOAP binding is not supported, as indicated in code : «4) Backchannel logout via the SOAP binding. TODO».

I was wondering if there was any fundamental / structural reason that would impede the implementation of SOAP binding (e.g. handling the moodle session cookies in this backchannel mode) ? What would be needed to add SOAP binding SLO to the plugin? Could some funding help ?

Kind regards

[danmarsden]

The only reason is that no-one has been interested enough to implement it and test it.

If you have internal development capabilities, pull requests are always welcome. If you would like to fund specific developments on the plugin, feel free to reach out via the contact form on our website and we can look at providing an estimate for the improvements you're looking for. I can't see us spending time on this specific feature ourselves unless someone funded the effort.

[brendanheywood]

I'd love to see a pr for this to get proper back channel logout, the moodle side api's exist for terminating a session, what is needed is to store a mapping between the SSP session / and the moodle session in the kvstore (which might already be there) and wire it all up. Worst case if we can't match up the session we could terminate all sessions for that user (maybe behind an admin option)

[schlupmann]

Thanks Brendan for your support. I have tried to sort out how it could be done without using the "nuclear" method of terminating all sessions indiscriminately but haven't found a way yet. I will look further into it but was wondering if some funding could help speed up the process. I contacted Catalyst about it but didn't get a reply. Any advice ?

[brendanheywood]

I'm sorry about that @schlupmann - did you use https://catalyst-au.net/contact-us/sydney#email-us ?

[schlupmann]

Thanks for the reply Brendan. I probably didn't use the Sydney contact form/email... it must have been one of the other Australian offices, but that was a month ago, I can't remember.

In the meantime, I have looked into it a bit and managed to have a working IDP initiated SOAP binding logout by fetching the session ids of the SP and Moodle from the binding and deleting the records in the sessions and auth_saml2_kvstore tables (by adding a function to the api) as you suggested. But it is messy and i'd rather have it go through a 'proper' logout flow. But that would mean to somehow load the SP session from the binding and send it to the logout_hook page... I would think... I'm not at all a specialist.

I will try a little more to have it all outside .extlib in a clean way. But If you think doing this is only a matter of a few hours of work for you/Catalyst please tell me, I would fund it. Regards

[brendanheywood]

thanks @schlupmann - please push your work into a pull request even if it is very experimental / work in progress

[schlupmann]

I submitted a pull request but it is very crude / experimental and probably posted at the wrong location (please remove or move as seen fit if that is the case), see : #612

[danmarsden]

Thanks @schlupmann unfortunately that isn't the right way to file a pull request - typically you would fork this github repository into your own space, modify the files and commit them into your own repository, then file a pull request.

I see you added a zip file with some modified files in that PR, I haven't looked at the code but we do try to avoid modifying the extlib/simplesamlphp library files if possible as that does make it difficult to upgrade to a newer simplesamlphp release.

I've closed that PR as it was invalid, but the zip file is still there if you don't make any further progress and someone else wants to pick this up.
thanks!

[schlupmann]

Sorry for the mess I posted earlier. I hopefully filed the pull request the right way this #613. Please remove the zip file.

I am pushing my few mods on Brendan Heywood's suggestion : but it surely is work in progress. I fully understand the need to avoid modifying the simplesamlphp library but failed to find a way to do so without pulling a substantial amount of the library's code to parse the xml message in sp/saml2-logout.php. It then becomes a bit absurd if 3 lines do the same in session.php. But I might be on an entirely wrong path... I will keep on looking.

Update : I committed my mods to the latest version of the plugin, but that version with updated simplesamphp library actually doesn't work out of the box in our environment.

Regards,