Auth::SAML back channel logout doesnt work when 2FA is used
Affected version
Version: 2.16.2
Summary
- Configure Auth::SAML + 2FA (mail2f)
- Login with LLNG as SP
- Configure SAML IDP to use SOAP logout (backchannel)
- Logout from SAML IDP
- Logout is not effective on LLNG
Logs
[debug] No SAML session found for user test@example.com
[debug] SLO message to IDP idp-example signature according to metadata
[error] Authentication module succeed but has not set $req->user
Possible fixes
This happens because when Auth::SAML extractFormInfo is called, it schedules authFinish to be run later, by modifying $req->steps
But 2FA resets $req->steps to the default list
My solution is to trigger authFinish in afterData step instead