Open yurem opened 5 years ago
This is one of the working possible flows: SP Logout -> https://[hostname]/idp/Authn/oxAuth/logout -> ./oxauth/restv1/end_session?… -> /idp/profile/Logout…
It will be nice if we have back-channel logout: https://github.com/GluuFederation/foss-iam-book/blob/master/chapter3/chapter3.md#single-logout-profile-slo
Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout
/idp/Authn/oxAuth do next:
1) Send requests to oxAuth end_session session endpoint with post_logout_redirect_uri=https://
If we need to call at the end SP logout https://sp.gluu.org/Shibboleth.sso/Logout we can change /opt/shibboleth-idp/views/logout.vm
to call this endpoint.
With back-channel logout the flow will be simpler.
@mzico Let me know if we need to improve this flow in 4.0
@yurem : I have reports from two customers: number_1: Satisfied but want to customize the landing page. number_2: still testing. I think we are good to go with this solution you provided for now.
Gluu is using Shibboleth as an extension - i.e. during login it forwards authentication work to oxAuth. All login endopoints are doing this fine:
https://server.name/idp/profile/SAML2/Redirect/SSO https://server.name/idp/profile/SAML2/POST/SSO ...etc...
However, it seems that logout endpoints are not yet notifying oxAuth to destroy the user session on Gluu server.
I believe all Shibboleth's logout endpoints, i.e.
https://server.name/idp/profile/SAML2/Redirect/SLO https://server.name/idp/profile/SAML2/POST/SLO https://server.name/idp/profile/Logout ...etc..
need to call oxAuth logout procedure as the first step - to destroy user session at Gluu server.
Otherwise SAML SPs are unable to execute SSO Logout properly.
You can test e.g. on samltest.id that the current solution does not logout user from oxAuth.
After further analysis, it seems that everything needed from SAML side is already working - the SP could initiate SLO and it is properly propagated to other SAML SPs if user clicks Yes.
The only problem is, that SAML part of Gluu does not notify oxAuth about user logout, so user's logged-in state is not destroyed.
@yurem wrote:
Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout /idp/Authn/oxAuth do next:
1. Send requests to oxAuth end_session session endpoint with post_logout_redirect_uri=https:///idp/profile/Logout 2. After getting redirect from oxAuth to https:///idp/profile/Logout IDP do logout
I believe it will be sufficient to modify the above workflow:
All native SAML logout endopints:
https://server.name/idp/profile/SAML2/Redirect/SLO https://server.name/idp/profile/SAML2/POST/SLO ..etc...
redirect to https://server.name/idp/profile/Logout so if oxAuth end_session is called from there, everything will work OK.
From my findings, SLO working in 3.1.6 as it should be. I will share a screencast today for your evaluation.
On June 28, 2019 2:07:31 PM GMT+06:00, "Marian Ďurkovič" notifications@github.com wrote:
After further analysis, it seems that everything needed from SAML side is already working - the SP could initiate SLO and it is properly propagated to other SAML SPs if user clicks Yes.
The only problem is, that SAML part of Gluu does not notify oxAuth about user logout, so user logged-in state is not destroyed.
@yurem wrote:
Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout /idp/Authn/oxAuth do next:
1. Send requests to oxAuth end_session session endpoint with
post_logout_redirect_uri=https:///idp/profile/Logout
2. After getting redirect from oxAuth to
https:///idp/profile/Logout IDP do logout
I believe it will be sufficient to modify the above workflow:
- Logout entry point should be https://server.name/idp/profile/Logout
- as the first action, it should call oxAuth end_session
- after return from oxAuth, it should perform all the usual work.
All other SAML logout endopints:
https://server.name/idp/profile/SAML2/Redirect/SLO https://server.name/idp/profile/SAML2/POST/SLO ..etc...
redirect to https://server.name/idp/profile/Logout so if oxAuth end_session is called from there, everything will work OK.
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/GluuFederation/oxShibboleth/issues/46#issuecomment-506644449
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Here is an example flow which doesn't work. User clicked on logout at SP webpage, which triggers SAML request to standard endpoint /idp/profile/SAML2/Redirect/SLO
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?SAMLRequest=rZbbbqNIEIbv%2F..........
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s1
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s1&_eventId=propagate
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s2
GET https://gluu.server/idp/profile/PropagateLogout?SessionKey=1
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s2&_eventId=proceed
In the above flow, there's no call to oxAuth, i.e. the user stays logged in at Gluu server. You can test at samltest.id
@durkovic :
localsp.gluu.org
and localsp2.gluu.org
localrp.gluu.org
localsp.gluu.org
: successlocalsp2.gluu.org
: successlocalsp2.gluu.org
: https://Gluu_Server/idp/Authn/oxAuth/logout
: successlocalrp.gluu.org
).
Your screencast shows IdP-initiated SLO logout - i.e. when you request SLO on the Gluu IdP server by navigating to that special URL (https://Gluu_Server/idp/Authn/oxAuth/logout), it sends logout requests to all SPs. Yes, that works fine.
However, SP-initiated SLO logout is the problematic one. When SAML application provides logout button, it should request SLO by contacting one of the endpoints described in Gluu's IdP metadata, i.e.
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gluu.server/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gluu.server/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://gluu.server/idp/profile/SAML2/POST-SimpleSign/SLO"/>
Those endpoints work correctly as far as SAML is concerned - they correctly accept SP-initiated SAML logout request and redistribute it to all other SPs. But they don't log the user out of Gluu server.
The entry point of logout flow should be:
https://sp.gluu.org/Shibboleth.sso/Logout