Open
Description
Steps to reproduce
- Login via SAML
- Logout with Nextcloud Logout-Button
Expected behaviour
The IdP should revoke the session for the SP and ask for credentials again.
Actual behaviour
The IdP remembers the SP session and is seamlessly logging in the user again.
Server configuration
Operating system: Debian Linux
Web server: Nginx
Database: PostgreSQL
PHP version: 8.0.28
Nextcloud version: 25.0.4 Enterprise
Where did you install Nextcloud from: Nextcloud Portal
List of activated apps:
- activity: 2.17.0
- appointments: 1.14.11
- calendar: 4.2.4
- circles: 25.0.0
- cloud_federation_api: 1.8.0
- comments: 1.15.0
- contacts: 5.1.0
- contactsinteraction: 1.6.0
- dav: 1.24.0
- deck: 1.8.3
- drawio: 2.1.0
- federatedfilesharing: 1.15.0
- federation: 1.15.0
- files: 1.20.1
- files_mindmap: 0.0.27
- files_pdfviewer: 2.6.0
- files_rightclick: 1.4.0
- files_sharing: 1.17.0
- files_trashbin: 1.15.0
- files_versions: 1.18.0
- firstrunwizard: 2.14.0
- forms: 3.2.0
- groupfolders: 13.1.1
- logreader: 2.10.0
- lookup_server_connector: 1.13.0
- nextcloud_announcements: 1.14.0
- notifications: 2.13.1
- oauth2: 1.13.0
- onlyoffice: 7.6.8
- password_policy: 1.15.0
- photos: 2.0.1
- polls: 4.1.8
- privacy: 1.9.0
- provisioning_api: 1.15.0
- recommendations: 1.4.0
- related_resources: 1.0.4
- serverinfo: 1.15.0
- settings: 1.7.0
- sharebymail: 1.15.0
- support: 1.8.0
- survey_client: 1.13.0
- systemtags: 1.15.0
- text: 3.6.0
- theming: 2.0.1
- twofactor_backupcodes: 1.14.0
- twofactor_totp: 7.0.0
- user_ldap: 1.15.0
- user_saml: 5.1.2
- user_status: 1.5.0
- viewer: 1.9.0
- weather_status: 1.5.0
- workflowengine: 2.7.0```
Nextcloud configuration:
{
"system": {
"installed": true,
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"instanceid": "***REMOVED SENSITIVE VALUE***",
"version": "25.0.4.2",
"forwarded_for_headers": [
"X-Forwarded-For"
],
"trusted_domains": [
"cloud.hmt-leipzig.de"
],
"default_phone_region": "DE",
"allow_local_remote_servers": true,
"overwrite.cli.url": "https:\/\/cloud.hmt-leipzig.de",
"overwritehost": "cloud.hmt-leipzig.de",
"overwriteprotocol": "https",
"dbtype": "pgsql",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": false
}
],
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpsecure": "tls",
"mail_smtpauth": true,
"mail_smtpauthtype": "LOGIN",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"appstoreenabled": false,
"integrity.check.disabled": true,
"check_for_working_htaccess": false,
"log_level": 2
}
}
SAML configuration
- 1:
- general-uid_mapping: urn:oid:0.9.2342.19200300.100.1.1
- general-idp0_display_name: Login
- idp-entityId: <redacted>
- idp-singleSignOnService.url: <redacted>
- sp-x509cert: <redacted>
- sp-privateKey: <redacted>
- idp-singleLogoutService.url: <redacted>
- idp-x509cert: <redacted>
- saml-attribute-mapping-displayName_mapping: urn:oid:2.16.840.1.113730.3.1.241
- saml-attribute-mapping-email_mapping: urn:oid:0.9.2342.19200300.100.1.3
- security-nameIdEncrypted: 1
- security-authnRequestsSigned: 1
- security-logoutRequestSigned: 1
- security-signMetadata: 1
- security-wantAssertionsSigned: 1
- security-wantMessagesSigned: 1
- security-wantAssertionsEncrypted: 1
- security-wantNameId: 1
- security-wantXMLValidation: 1
- idp-singleLogoutService.responseUrl:
- security-logoutResponseSigned: 1
- security-wantNameIdEncrypted: 0
- sp-name-id-format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Client configuration
Browser: Chromium / Firefox / Chrome
Operating system: Fedora Linux
Logs
here is the shibboleth-log, which is the only messages i receive upon logout
ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:709] - Error decrypting encrypted key: Unwrapping failed
ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:646] - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
ERROR [org.opensaml.xmlsec.encryption.support.Decrypter:538] - Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
ERROR [org.opensaml.saml.saml2.encryption.Decrypter:183] - SAML Decrypter encountered an error decrypting element content: Failed to decrypt EncryptedData
WARN [org.opensaml.saml.saml2.profile.impl.DecryptNameIDs:99] - Profile Action DecryptNameIDs: Failure performing decryption
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
at org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:541)
WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: DecryptNameIDFailed
Metadata
Metadata
Assignees
Labels
No labels