Topic on Extension talk:PluggableAuth

When using simplesamlphp + AzureAD and pluggable auth on mediawiki 1.35, logging out throws the generic network error message: "Could not connect to the server. Make sure you have a working internet connection and try again."

In the web console the error is more specific:

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at login.microsoftonline.com"

Logging in redirects fine, and accounts are created and populated with info from the SSO. Only logging out is the problem. Tried messing around with some of the CORS variables in settings, no change.

On Mediawiki 1.31 Everything is the same, and logout works as expected. Any ideas?

Thanks

I'll post my experience with this in case it helps anybody.

I think this is related to task T222626 which turned the Logout link into an API request and maybe task T246350. Azure AD only seems to support HTTP-Redirect for its single log out(SLO) binding, and does not return the CORS header needed to allow the browser to complete the logout process. Not sure if this is only the case with Azure AD or with any IDP using HTTP-Redirect.

Best

It does not work with my Shibboleth 4.0.1 IDP

Anyone happen to find a solution for this? Cheers!

I am seeing the same behavior when using https://hub.docker.com/r/kristophjunge/test-saml-idp/ as IdP.

I can confirm this issue also occurs with other IdPs and that it is actually related to T222626, which performs logout via an XHR to the "logout" action API. SAML is not build to work with XHRs at all. It relies on a regular HTTP redirect workflow, which doesn't go well with XHR calls. If you access "Special:UserLogout" manually and submit the form, everything will work just fine.

A quick workaround could be to knock out the code at /resources/src/mediawiki.page.ready/ready.js#L71-L93, e.g. by JavaScript like $( '#pt-logout a[data-mw="interface"]' ).off( 'click' ); in "MediaWiki:Common.js".

Of course this is not a good solution, as the user will also be asked to confirm the logout on "Special:UserLogout".

I can confirm this workaround functions, though it is indeed not ideal. Now the user needs to click the logout link, AND then the logout button on Special:UserLogout. Still better than a confusing error message though.

I have now created a Phabricator task for this https://phabricator.wikimedia.org/T305031

The JS solution provided above didn't work for me unfortunately, not sure why. Another workaround can be found in changing the id attribute of the 'log out hyperlink'. The following can be copied to LocalSettings.php:

$wgHooks['PersonalUrls'] = static function ( &$personal_urls, $title, $skin ) {
        if ( $skin->getUser()->isLoggedIn() ) {
                $personal_urls['logout2'] = $personal_urls['logout'];
                unset( $personal_urls['logout'] );
        }

        return true;
};

Clicking yet another button after clocking on the log out hyperlink is not ideal, but it's better than breaking the support for SAML Single Logout.

Thanks for sharing