Search code examples
phpsaml-2.0simplesamlphp

SimpleSAMLphp send SLO request to remote IDP Okta

So i need to send to an OKTA IDP a SLO request from my ServiceProvider make with SimpleSAMLphp.

I have try the logout function of SimpleSAMLphp, but they only logout on the ServiceProvider not on my IDP...

The code used :

require_once('/var/www/service_provider/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp'); 
$as->logout();

I try to add in parameter to logout() function the SLO url of my IDP but missing some parameters in the request and no documentations on how to generate this missing parameters...

Thanks for help!

Best regards,

EDIT :

I put my authsources config:

'default-sp' => [
        'saml:SP',
        'entityID' => null,
        'idp' => 'http://www.okta.com/ID',
        'discoURL' => null,
        'privatekey' => 'sp.pem',
        'certificate' => 'sp.crt',
        'sign.logout' => true,
        'sign' => [
            'logout' => true
        ]
    ],

EDIT:

The IDP metadata:

$metadata['http://www.okta.com/randomString'] = array (
  'entityid' => 'http://www.okta.com/randomString',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'NameIDFormats' => 
  array (
    0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    1 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'certValue',
    ),
  ),
);
Solution

  • So finaly the bug was i'll missed to start the session in the logout script. So SimpleSAMLPHP never found the current session, like suggest Patrick in is comment the isAuthenticated was always false.

    So to correct the bug i had at the start of my logout script a

    session_start();

    And it's works!