Client global logout doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pySAML2 |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
After succesfully adapt the dajngosaml2 code to do a SAML authentication request and log in into my application using a simpleSAMLphp IdP I tried to do the same with the logout process. But it doesn't quite work so well.
The problems are:
* Bug in client.py:412 what is assigned to destination is a dictionary, not an actual url. This is because the config format changed. You should do self.config[
* Bug in client.py:416 self.client.users should be self.users
* The global_logout method does not accept some basic parameters as the log and wheter we want to sign the request or not. On the opposite side, the local_logout method does accept too much parameters. Only the subject_id should be needed.
* Returning the request ids of the logout requests in the global_logout method is not very useful for the caller of such method. Instead, we should return a list of urls that the caller can redirect to perform the actual logout. This is equivalent to what the authenticate method does.
All of these problems are fixed in this revision: http://
There is also another thing: I don't understand why the global_logout returns a list of logout requests instead of just one. What's the rationale of this? In my code I just read the first element of this list ignoring the rest.
Changed in pysaml2: | |
status: | New → Fix Committed |
On 8/5/10 22:08, Lorenzo Gil Sanchez wrote:
> There is also another thing: I don't understand why the global_logout
> returns a list of logout requests instead of just one. What's the
> rationale of this? In my code I just read the first element of this list
> ignoring the rest.
>
You're probably correct I was thinking about the case where you use one
Idp and several AAs for collecting de identity of a subject.
But then you will not log in to the AA hence logout from an AA is sort
of strange.
-- Roland