-
Change Request
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
At this moment Zabbix tells whether it received an Authentication Response or a Logout Response from the SAML2 idP by checking if URL has 'acs' or 'sls' in it and whether there is a session variable saml_data or not.
It's hard to figure out from the OASIS documents whether there're some requirements or recommendations on the ACS and SLS URLs. In practice some idPs (one known is Duo Access Gateway) put constraints on the URL strings.
Duo Access Gateway mentioned earlier doesn't allow to configure ACS/SLS URLs with query strings and only with certain hacks (URL rewriting with the web server and some modifications to php-saml toolkit code to disable strict URL validation) it's possible to make things work together.
Possibly current index_sso.php could be either separated to two endpoint paths (Onelogin's toolkit has a demo with consume.php and slo.php as separate files: https://github.com/onelogin/php-saml/tree/master/demo2) or it could be enhanced to process both on a single endpoint by checking whether we received an Authentication Response or a Logout Response.