使用passport-saml 注销:req.logout() 或Strategy.logout()，或两者兼而有之? [英] Logging out using passport-saml: req.logout() or Strategy.logout(), or both?

问题描述

我对使用passport-saml进行身份验证时注销用户的正确方法有疑问.

I have a question regarding the proper way to logout a user when using passport-saml for authentication.

带有passport-saml 的示例脚本显示注销如下:

The example script with passport-saml shows logging out as this:

app.get('/logout', function(req, res){
  req.logout();
  res.redirect('/');
});

据我所知，这将结束本地护照会话，但它似乎不会向 SAML IdP 发送注销请求.当用户再次登录时，它会重定向到 IdP，但会立即重定向回经过身份验证的用户.有没有办法使用 IdP 注销，以便用户在登录我的网站时必须再次输入密码?我已经看到其他使用我们 IdP 的网站这样做了，所以我认为这是可能的.

From what I can tell, this will end the local passport session, but it doesn't seem to send a logout request to the SAML IdP. When the user does another login, it redirects to the IdP but immediately redirects back with the authenticated user. Is there a way to logout with the IdP so that the user has to enter their password again when signing in to my site? I've seen other sites that use our IdP do this, so I think it's possible.

我确实注意到在passport-saml 代码中，在passport-saml 策略对象上有一个logout() 方法，它似乎没有被req.logout 调用().所以我试着把代码改成这样:

I did notice in the passport-saml code that there is a logout() method on the passport-saml Strategy object, which doesn't seem to be called by req.logout(). So I tried switching the code to this:

app.get('/logout', function(req, res) {
    //strategy is a ref to passport-saml Strategy instance 
    strategy.logout(req, function(){
        req.logout();
        res.redirect('/');
    });
});

但是我在 XMLNode.js 深处遇到了这个错误

But I got this error deep in XMLNode.js

Error: Could not create any elements with: [object Object]
   at XMLElement.module.exports.XMLNode.element (/.../node_modules/passport-saml/node_modules/xmlbuilder/lib/XMLNode.js:74:15)
   at XMLElement.module.exports.XMLNode.element (/.../node_modules/passport-saml/node_modules/xmlbuilder/lib/XMLNode.js:54:25)
   at XMLElement.module.exports.XMLNode.element (/.../node_modules/passport-saml/node_modules/xmlbuilder/lib/XMLNode.js:54:25)
   at new XMLBuilder (/.../node_modules/passport-saml/node_modules/xmlbuilder/lib/XMLBuilder.js:27:19)
   at Object.module.exports.create (/.../node_modules/passport-saml/node_modules/xmlbuilder/lib/index.js:11:12)
   at SAML.generateLogoutRequest (/.../node_modules/passport-saml/lib/passport-saml/saml.js:169:21)

我没有正确调用这个方法吗?或者我不应该直接调用这个方法而是调用其他方法?

Am I not calling this method correctly? Or should I not be calling this method directly and calling some other method instead?

我看到在 generateLogoutRequest() 中它指的是 req.user 上的两个我不确定是否存在的属性:

I see that in generateLogoutRequest() it is referring to two properties on the req.user that I'm not sure are there:

  'saml:NameID' : {
    '@Format': req.user.nameIDFormat,
    '#text': req.user.nameID
  }

如果这些属性不存在，会导致这个错误吗?如果是这样，我假设我可能需要确保将这些属性添加到从验证回调函数返回的用户对象中?

If these properties are not there, will that cause this error? If so, I assume that maybe I need to ensure that these properties are added to the user object that is returned from the verify callback function?

感谢任何人可以提供的任何帮助.

Thanks for any help anyone might be able to provide on this.

推荐答案

是的，将 nameIDFormat 和 nameID 添加到用户将解决问题.

Yes adding the nameIDFormat and nameID to the user will solve the issue.

1. 要启用注销，您应该在策略中配置 logoutURL 选项

logoutUrl: 'http://example.org/simplesaml/saml2/idp/SingleLogoutService.php',

策略中的注销方法实际上并没有发送任何请求.以请求为参数调用回调函数.

The logout method in the strategy does not actually send any request. the callback function is called with the request as parameter.

启动注销过程:

passport.logoutSaml = function(req, res) {
    //Here add the nameID and nameIDFormat to the user if you stored it someplace.
    req.user.nameID = req.user.saml.nameID;
    req.user.nameIDFormat = req.user.saml.nameIDFormat;


    samlStrategy.logout(req, function(err, request){
        if(!err){
            //redirect to the IdP Logout URL
            res.redirect(request);
        }
    });
};

成功登录后必须将 nameId 和 nameIdFormat 保存在某处

edit: the nameId and nameIdFormat has to be saved somewhere on successful login

var samlStrategy = new SamlStrategy(
  {
    callbackUrl: 'https://mydomain/auth/saml/callback',
    entryPoint: 'https://authprovider/endpoint',
    logoutUrl: 'https://authprovider/logoutEndPoint',
    issuer: 'passport-saml'
  },
  function(profile, done) {

      //Here save the nameId and nameIDFormat somewhere
      user.saml = {};
      user.saml.nameID = profile.nameID;
      user.saml.nameIDFormat = profile.nameIDFormat;

      //Do save

      });
  });

1. 您还必须为注销回调创建一个端点:

此 URL 应在 IdP 配置中的 SP 元数据中进行配置.注销完成后，IdP 将重定向到该 URL.

This URL should be configured in your SP metadata in your IdP configuration. The IdP will redirect to that URL once the logout is done.

在您的路线中:

app.post('/auth/saml/logout/callback', passport.logoutSamlCallback);

在您的护照配置中:

passport.logoutSamlCallback = function(req, res){
    req.logout();
    res.redirect('/');
}

这篇关于使用passport-saml 注销:req.logout() 或Strategy.logout()，或两者兼而有之?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！