Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix IDP-initiated SAML Single Logout and add diagnostic logging#5944

Draft
Copilot wants to merge 5 commits intodevelopfrom
copilot/fix-saml-single-logout-service
Draft

Fix IDP-initiated SAML Single Logout and add diagnostic logging#5944
Copilot wants to merge 5 commits intodevelopfrom
copilot/fix-saml-single-logout-service

Conversation

Copy link

Copilot AI commented Feb 4, 2026
edited
Loading

IDP-initiated SAML logout fails when the logout request arrives on a session without saml_uid set. The omniauth-saml gem's default handle_logout_request requires logout_request.name_id == session["saml_uid"], which fails when the user logs out from another SAML-connected service.

Changes

  • Override handle_logout_request in SamlDatabase to:

    • Validate request via is_valid? and log specific errors on failure
    • Destroy all database sessions matching name_id (handles cross-browser/session logout)
    • Return SloLogoutresponse to IDP

  • Add destroy_saml_sessions(saml_uid) class method to find and terminate matching sessions

  • Add diagnostic logging (debug level for PII, error level for validation failures)

Key difference from gem behavior

# Gem's approach: fails if current session doesn't match
if logout_request.name_id == session["saml_uid"]
  # destroy only current session
end

# New approach: destroy all sessions for this user
Session.find_each do |session_record|
  next if session_record.data['saml_uid'] != name_id
  session_record.destroy
end

Note

Root cause is difficult to reproduce. Enhanced logging will help identify whether failures are due to validation issues or session mismatches.

Original prompt

This section details on the original issue you should resolve

<issue_title>SAML Single Logout Service not working correctly</issue_title>
<issue_description>### Used Zammad Version

5.4.0

Environment

  • Installation method: docker-compose: https://github.com/zammad/zammad-docker-compose.git
  • Operating system ubuntu 22.04 on host, but using docker
  • Database + version: docker image postgres:15.1-alpine
  • Elasticsearch version: docker image bitnami/elasticsearch:8.5.1
  • Browser + version: firefox 105, chrome (I don't think this is relevant)

Actual behaviour

SSO works fine, SLO initiated from Zammad works (even when logged in to other servies)

But when I try to logout from another service and it calls zammad in the logout-chain, this error shows:
image
And this is in the logs from the railserver:
_zammaddockercompose_zammad-railsserver_1_logs.txt
Here is the parsed log out request:
auth0_saml_slo_request.txt

(I replaced a few things with "...")

Expected behaviour

the session of the user should be deleted in zammad and the slo service sould call back Auth0 to finish the logout process.

Steps to reproduce the behaviour

connect zammad via SAML (to Auth0):
Zammad Config:

  • IDP SSO target URL: https://...eu.auth0.com/samlp/...
  • IDP Single Logout target URL: https://...eu.auth0.com/samlp/.../logout
  • IDP certificate fingerprint: DD:90:36:FC:79:04:E1:4C:89:9F:90:14:8F:B6:46:AF:BF:38:F0:F1
  • Name Identifier Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • UID Attribute Name: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Auth0 config:

  • Login URI https://zammad..de/login
  • Callback URL https://zammad...de/auth/saml/callback
  • SAML config:
    { "mappings": { "email": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "name": "name" }, "passthroughClaimsWithNoMapping": false, "logout": { "callback": "https://zammad...de/auth/saml/slo", "slo_enabled": true }, "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "nameIdentifierProbes": [ "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ] }

Then:

  • log in to zammad an a different service also using SAML
  • log out of the other service.
    • it redirects to zammad and then the error is thrown.

Support Ticket

No response

I'm sure this is a bug and no feature request or a general question.

no</issue_description>

Comments on the Issue (you are @copilot in this section)

@Bozo0511 Hi,

I tried to reproduce the issue.
I used keycloak as the IDP, but was not able to to reproduce the issue.

Can you please clarify for me what you mean with:

"log in to zammad an a different service also using SAML
log out of the other service.
it redirects to zammad and then the error is thrown."

I am not sure what exactly you mean by this.</comment_new>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix SAML Single Logout Service not working correctly Fix IDP-initiated SAML Single Logout requests Feb 4, 2026
Copilot AI requested a review from dominikklein February 4, 2026 15:18
Copilot AI changed the title Fix IDP-initiated SAML Single Logout requests Fix IDP-initiated SAML Single Logout and add diagnostic logging Mar 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dominikklein dominikklein Awaiting requested review from dominikklein

Assignees

@dominikklein dominikklein

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SAML Single Logout Service not working correctly

2 participants

@dominikklein