SAML SLO from IDP does not work when SP is LL::NG
Seems we have a problem when registering SAML session. When the authentication is finished with SAML, on SP logs we have:
[Tue Jun 21 19:13:21.370726 2016] [perl:debug] [pid 4894] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Store NameID <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">dwho@badwolf.org</saml:NameID> and SessionIndex MdfOZ+Odth4U4znANNDUDhenzciSL014oPZ9cBxgoH0= for session
[Tue Jun 21 19:13:21.374280 2016] [perl:debug] [pid 4894] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Link session to SAML session 460038d6e617221c134ae514f91e95a8
We see here that the SAML session is not linked to the SSO session, which I can verify by dumping the SAML session:
{"_utime":1466529201,"_nameID":"<saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">dwho@badwolf.org</saml:NameID>","_session_id":"460038d6e617221c134ae514f91e95a8","type":"saml","_session_kind":"SAML","_sessionIndex":"MdfOZ+Odth4U4znANNDUDhenzciSL014oPZ9cBxgoH0="}
Then, when an SLO request is sent from IDP with the sessionIndex, we have this in SP logs:
[Tue Jun 21 19:15:02.407092 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Logout request NameID content: dwho@badwolf.org
[Tue Jun 21 19:15:02.407968 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Retrieve SAML session 460038d6e617221c134ae514f91e95a8 for user dwho@badwolf.org
[Tue Jun 21 19:15:02.408972 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Try to get a new session
[Tue Jun 21 19:15:02.410855 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Return session bb49b177289d4efd07e02ac19dcaedc0a03bca5c04ae711eebab84e80ea224ea
[Tue Jun 21 19:15:02.412558 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub userNotice
[Tue Jun 21 19:15:02.412603 2016] [perl:debug] [pid 4983] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Common/CGI.pm 305:
[Tue Jun 21 19:15:02.412614 2016] [perl:notice] [pid 4983] Lemonldap::NG : User dwho has been disconnected (127.0.0.1)
[Tue Jun 21 19:15:02.412632 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Delete real session result: 1
[Tue Jun 21 19:15:02.413502 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Delete SAML session 460038d6e617221c134ae514f91e95a8 result: 1
[Tue Jun 21 19:15:02.413628 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Loading Session dump:
[Tue Jun 21 19:15:02.413663 2016] [perl:debug] [pid 4983] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error: dump cannot be undef at /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm line 1487.\n
[Tue Jun 21 19:15:02.413683 2016] [perl:debug] [pid 4983] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/AuthSAML.pm 618:
[Tue Jun 21 19:15:02.413694 2016] [perl:error] [pid 4983] Cannot set session from dump in logout
So there is a problem in SAML sessions management.