LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
Concerned version
Version: 2.0.11
Platform: (Nginx/uwsgi)
Summary
Single logout initiated by IDP doesn't work in my case. The browser block the LogoutRequest sent with HTTP-POST binding.
This is my Content security policy in LLNG configuration :
"cspConnect":"'self'",
"cspDefault":"'self'",
"cspFont":"'self'",
"cspFormAction":"*",
"cspFrameAncestors":"",
"cspImg":"'self' data:",
"cspScript":"'self'",
"cspStyle":"'self'",
I get same behaviour for Chromium 89, Firefox 87 end Firefox 52.9
Chromium gives this message in console : Refused to frame 'https://SP_FQDN' because it violates the following Content Security Policy directive: "child-src 'self' IDP_FQDN". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.
Logs
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] VH IDP_FQDN is HTTPS
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Get session
98693a76e9e13c391bc29d37a351d75a6024d88e9d727c8db53caae3ef3a599e from
Handler::Main::Run
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Check session validity from
Handler
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Session timeout -> 21600
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Session timeoutActivity -> 3600s
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Session _utime -> 1619092802
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] now -> 1619092855
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] _lastSeen -> 1619092802
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] now - _lastSeen = 53
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Session timeoutActivityInterval
-> 60
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Session TTL = 21547
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] No URL authentication level
found...
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] IDP_FQDN: Apply default rule
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] removing cookie
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Cookies -> llnglanguage=fr;
lemonldapPOC=98693a76e9e13c391bc29d37a351d75a6024d88e9d727c8db53caae3ef3a599e
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] CookieName -> lemonldapPOC
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] newCookies -> llnglanguage=fr;
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] User claude.loiseau was granted
to access to /?logout=1
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Start routing default route
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Processing importHandlerData
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Processing controlUrl
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Processing checkLogout
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Processing code ref
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Launching ::Issuer::SAML::logout
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Retrieve SAML session
f098e23f81170a4b98334d399a99419b6908ac28c94e4a94900f16f0664b31ae
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] SAML session
f098e23f81170a4b98334d399a99419b6908ac28c94e4a94900f16f0664b31ae deleted
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Retrieve SAML session
7968652c3ccdac78db7f75fc21de8c35db1ca597d90a9cf80575fa8cc642c739
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] SAML session
7968652c3ccdac78db7f75fc21de8c35db1ca597d90a9cf80575fa8cc642c739 deleted
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Loading Session dump: <Session
xmlns="http://www.entrouvert.org/namespaces/lasso/0.0"; Version="2">
<NidAndSessionIndex ProviderID="https://SP_FQDN/saml/metadata";
AssertionID="_7F8E483952D161A291C128555171C310"
SessionIndex="f098e23f81170a4b98334d399a99419b6908ac28c94e4a94900f16f0664b31ae">
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Claude.Loiseau@justice.gouv.fr</
saml:NameID>
</NidAndSessionIndex>
</Session>
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Lasso error [ debug ]: 2021-04-
22 14:00:55 (xml.c/:2577) Processing node 'Session' with type 'LassoSession'
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Lasso error [ debug ]: 2021-04-
22 14:00:55 (xml.c/:2577) Processing node 'NameID' with type
'LassoSaml2NameID'
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Lasso error [ debug ]: 2021-04-
22 14:00:55 (xml.c/:1492) lasso_node_impl_init_from_xml <NameID>
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Lasso error [ debug ]: 2021-04-
22 14:00:55 (xml.c/:1901) lasso_node_impl_init_from_xml </NameID> rc=0
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Lasso Session loaded
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] SLO request signature according
to metadata
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Request built for
https://SP_FQDN/saml/metadata
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Keep request ID
_94F5EF25B43A18671FC6D53749A8D5AC in assertion session
7291b7ecdd36266457e8fad87d8c74927bd1037238a8ea8f21c38d4682110c9b
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Build POST relay logout request
to https://SP_FQDN/saml/metadata
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Processing authLogout
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Cleaning pdata
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Processing deleteSession
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Try to get SSO session
98693a76e9e13c391bc29d37a351d75a6024d88e9d727c8db53caae3ef3a599e
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Get session
98693a76e9e13c391bc29d37a351d75a6024d88e9d727c8db53caae3ef3a599e from
Portal::Main::Run
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Check session validity -> 3600s
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Return SSO session
98693a76e9e13c391bc29d37a351d75a6024d88e9d727c8db53caae3ef3a599e
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Local handler logout
[Thu Apr 22 14:00:55 2021] [LLNG:601] [notice] User claude.loiseau has been
disconnected from LDAP (10.21.18.253)
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] [notice] User claude.loiseau has
been disconnected from LDAP (10.21.18.253)
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Session
98693a76e9e13c391bc29d37a351d75a6024d88e9d727c8db53caae3ef3a599e deleted from
global storage
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Returned error: 47
(PE_LOGOUT_OK)
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Display: info detected
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Hidden values :
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Skin returned: info
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Calling sendHtml with template
info
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Starting HTML generation using /
usr/share/lemonldap-ng/portal/templates/justiceskindesk/info.tpl
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Sending /usr/share/lemonldap-ng/
portal/templates/justiceskindesk/info.tpl
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Apply following CORS policy :
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Access-Control-Allow-Origin
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] *
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Access-Control-Allow-
Credentials
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] true
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Access-Control-Allow-Headers
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] *
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Access-Control-Allow-Methods
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] POST,GET
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Access-Control-Expose-Headers
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] *
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Access-Control-Max-Age
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] 86400
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Required Params URL :
https://IDP_FQDN
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Set CSP form-action with Params
URL : https://IDP_FQDN
[Thu Apr 22 14:00:55 2021] [LLNG:601] [debug] Apply following CSP : default-
src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src
'self';script-src 'self';form-action * https://IDP_FQDN;frame-ancestors
'none';child-src IDP_FQDN 'self';
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] VH IDP_FQDN is HTTPS
[Thu Apr 22 14:00:56 2021] [LLNG:602] [info] No cookie found
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Build URL
https://IDP_FQDN/saml/relaySingleLogoutPOST?relay=191a01cdf677e5cf0baca53499f2f2199047ef428bd2b0fd610ed8bdc65fe219
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Redirect 10.21.18.253 to portal
(url was /saml/relaySingleLogoutPOST?
relay=191a01cdf677e5cf0baca53499f2f2199047ef428bd2b0fd610ed8bdc65fe219)
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] User not authenticated, Try in
use, cancel redirection
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Start routing saml
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] URL /saml/relaySingleLogoutPOST?
relay=191a01cdf677e5cf0baca53499f2f2199047ef428bd2b0fd610ed8bdc65fe219
detected as a POST relay service URL
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Found relay session
191a01cdf677e5cf0baca53499f2f2199047ef428bd2b0fd610ed8bdc65fe219
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Processing autoPost
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Delete all hidden values
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Store in hidden key RelayState
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Store
PHNhbWxwOkxvZ291dFJlcXVlc3QgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il85NEY1RUYyNUI0M0ExODY3MUZDNkQ1Mzc0OUE4RDVBQyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjEtMDQtMjJUMTI6MDA6NTVaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9kZXYuYXV0aHNwcC5pbnRyYW5ldC5qdXN0aWNlLmdvdXYuZnIvc2FtbC9wcm94eVNpbmdsZUxvZ291dCI
+PHNhbWw6SXNzdWVyPmh0dHBzOi8vcHJlcHJvZC5jYjIuanVzdGljZS5hZGVyLmdvdXYuZnIvc2FtbC9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI
+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI
+CjxTaWduZWRJbmZvPgo8Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CjxSZWZlcmVuY2UgVVJJPSIjXzk0RjVFRjI1QjQzQTE4NjcxRkM2RDUzNzQ5QThENUFDIj4KPFRyYW5zZm9ybXM
+CjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjwvVHJhbnNmb3Jtcz4KPERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+CjxEaWdlc3RWYWx1ZT41N2lRK3FJRGQyZ3RaL044dFhJeGlHMVRxWE09PC9EaWdlc3RWYWx1ZT4KPC9SZWZlcmVuY2U
+CjwvU2lnbmVkSW5mbz4KPFNpZ25hdHVyZVZhbHVlPmV4akEwMjFDcUtsenNWcG9yM0JPTmw4K08zVVUvbkE3eDhoNlB5cVJwdjlhRXdybWp4YVQyekFvSnhJQUZlZWcKQm5iNGQvL2huSzdKcHI0ZE9aeS9yN25OL3VxdWl0ekFXQjYwRm9SaFlaeWdoSWMxcnpMVFgxZDljaHliMkZ1RgpEWXk0RFFSb3FOczZlTVpmZkU3V1V2R2hEdUFTU2htZmNQOUlRMzFGVzNaVzRrM0VVWHVQSHZ1U0hjSHVJUks0CllvNDlnTWZ6bzRnRTVISVloUWtsd05ndEtWRHQyZThWSVBPaU1jRHlSenJSMkhyQWVZUCtnLzFBVndHTk5RSFgKU0srb1VPRmk2eFR5bW5scnNOS1VmWDFiMXI3blY2RFVnbXk5cklSd3ZoUEE4ejJmWkJTd0t5dnQycFlCSVJkZAp5ME16ZzB4Z0s4K0R5Qm5HUGVnUmV3PT08L1NpZ25hdHVyZVZhbHVlPgo8S2V5SW5mbz4KPEtleVZhbHVlPgo8UlNBS2V5VmFsdWU
+CjxNb2R1bHVzPgpzOTh2cVJDdFNydXNRWUxLV2J6YXlJRk90bnNQRk9SWUNDaHJMUmN3cEdNU2Y0TTJlbUN3SE43ZUdaMXZzdEg0CnZZbGJGMXg3eEN1U1J5QlpzMG1KUytad0s0SHFwMUMrN1E3N2VrSzdad3VGSC91MW1pNmh3em9GL3pqQ3RPN0wKbWxBZ2pKRklacHFuM2JweDBXWXRmUG1nNTNNU3RyRjB4RE9uSXU1Z1AwcjFwS2JEa3Z0c2F4UEV6RlpFYTRQUQpCWXFYdjV5TzFFUjNYdWh4Mm1zZXBMUExSZEtaNzNYUVhSaHhuQVI5NjNybGU4dFN0Vk84RTJrTUE2VUU2RkdWCkpsSDdjRTZUMTI1MnljNXZXRnV3V0VKWFZiSkk5VzB2SXJrdjdRdlk1UmFRTFQ0YnJWZ0tMRklJWStxTDJySzkKVDlobnNobTNFYnRSY01wWmgzbWlvUT09CjwvTW9kdWx1cz4KPEV4cG9uZW50PgpBUUFCCjwvRXhwb25lbnQ
+CjwvUlNBS2V5VmFsdWU+CjwvS2V5VmFsdWU+CjwvS2V5SW5mbz4KPC9TaWduYXR1cmU
+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5DbGF1ZGUuTG9pc2VhdUBqdXN0aWNlLmdvdXYuZnI8L3NhbWw6TmFtZUlEPjxzYW1scDpTZXNzaW9uSW5kZXg
+ZjA5OGUyM2Y4MTE3MGE0Yjk4MzM0ZDM5OWE5OTQxOWI2OTA4YWMyOGM5NGU0YTk0OTAwZjE2ZjA2NjRiMzFhZTwvc2FtbHA6U2Vzc2lvbkluZGV4Pgo8L3NhbWxwOkxvZ291dFJlcXVlc3Q
+ in hidden key SAMLRequest
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Returned status: -2
(PE_REDIRECT)
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Skin returned: redirect
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Calling sendHtml with template
redirect
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Starting HTML generation using /
usr/share/lemonldap-ng/portal/templates/justiceskindesk/redirect.tpl
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Sending /usr/share/lemonldap-ng/
portal/templates/justiceskindesk/redirect.tpl
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Apply following CORS policy :
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Access-Control-Allow-Origin
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] *
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Access-Control-Allow-
Credentials
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] true
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Access-Control-Allow-Headers
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] *
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Access-Control-Allow-Methods
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] POST,GET
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Access-Control-Expose-Headers
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] *
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Access-Control-Max-Age
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] 86400
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Required urldc :
https://SP_FQDN/saml/proxySingleLogout
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Set CSP form-action with urldc :
https://SP_FQDN
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Required Params URL :
https://SP_FQDN/saml/proxySingleLogout
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Set CSP form-action with Params
URL : https://SP_FQDN
[Thu Apr 22 14:00:56 2021] [LLNG:602] [debug] Apply following CSP : default-
src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src
'self';script-src 'self';form-action * https://SP_FQDN https://SP_FQDN;
Backends used
Configuration/sessions PostgreSQL