Error in SP-initiated saml logout with multiple SP
Concerned version
Version: 2.0
Summary
A fatal error (500) is encountered when logging out from a SAML service provider if another SAML service session is active.
The following steps can be used to reproduce:
- Create and register two service providers (in my example, mod_auth_mellon)
- Login to both service providers
- Use a SP-Initiated logout on one service provider (/secret/saml/logout?ReturnTo=http://sp.example.com/ with Mellon)
- Get a err 500 from Lemon
Logs
In nginx logs
FastCGI sent in stderr: "Can't locate object method "do" via package "Lemonldap::NG::Portal::Issuer::SAML" at /usr/share/perl5/Lemonldap/NG/Portal/Issuer/SAML.pm line 1619" while reading response header from upstream
Possible fixes
The issue is simple enough to find in Issuer/SAML.pm
# If no waiting SP, return directly SLO response
(...)
# Else build SLO status relay URL and display info
else {
$req->{urldc} =
$self->conf->{portal} . '/saml/relaySingleLogoutTermination';
$self->p->setHiddenFormValue( $req, 'relay', $relayID );
return $self->do( $req, [] );
}
However, replacing $self->do
with $self->p->do
doesn't improve the situation much, because there is no route for /saml/relaySingleLogoutTermination