search

GluuFederation / oxShibboleth

Shibboleth project for the Gluu Server's SAML IDP functionality.
MIT License
4 stars 4 forks source link

Implement SLO from SP/IDP/oxAuth #46

Open yurem opened 5 years ago

yurem commented 5 years ago

The entry point of logout flow should be: https://sp.gluu.org/Shibboleth.sso/Logout

yurem commented 5 years ago

This is one of the working possible flows: SP Logout -> https://[hostname]/idp/Authn/oxAuth/logout -> ./oxauth/restv1/end_session?… -> /idp/profile/Logout…

devrimyatar commented 5 years ago

It will be nice if we have back-channel logout: https://github.com/GluuFederation/foss-iam-book/blob/master/chapter3/chapter3.md#single-logout-profile-slo

yurem commented 5 years ago

Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout /idp/Authn/oxAuth do next: 1) Send requests to oxAuth end_session session endpoint with post_logout_redirect_uri=https:///idp/profile/Logout 2) After getting redirect from oxAuth to https:///idp/profile/Logout IDP do logout

If we need to call at the end SP logout https://sp.gluu.org/Shibboleth.sso/Logout we can change /opt/shibboleth-idp/views/logout.vm to call this endpoint.

With back-channel logout the flow will be simpler.

@mzico Let me know if we need to improve this flow in 4.0

mzico commented 5 years ago

@yurem : I have reports from two customers: number_1: Satisfied but want to customize the landing page. number_2: still testing. I think we are good to go with this solution you provided for now.

durkovic commented 5 years ago

Gluu is using Shibboleth as an extension - i.e. during login it forwards authentication work to oxAuth. All login endopoints are doing this fine:

https://server.name/idp/profile/SAML2/Redirect/SSO https://server.name/idp/profile/SAML2/POST/SSO ...etc...

However, it seems that logout endpoints are not yet notifying oxAuth to destroy the user session on Gluu server.

I believe all Shibboleth's logout endpoints, i.e.

https://server.name/idp/profile/SAML2/Redirect/SLO https://server.name/idp/profile/SAML2/POST/SLO https://server.name/idp/profile/Logout ...etc..

need to call oxAuth logout procedure as the first step - to destroy user session at Gluu server.

Otherwise SAML SPs are unable to execute SSO Logout properly.

You can test e.g. on samltest.id that the current solution does not logout user from oxAuth.

nynymike commented 5 years ago

Also see https://github.com/GluuFederation/oxShibboleth/issues/61

durkovic commented 5 years ago

After further analysis, it seems that everything needed from SAML side is already working - the SP could initiate SLO and it is properly propagated to other SAML SPs if user clicks Yes.

The only problem is, that SAML part of Gluu does not notify oxAuth about user logout, so user's logged-in state is not destroyed.

@yurem wrote:

Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout /idp/Authn/oxAuth do next:

1. Send requests to oxAuth end_session session endpoint with post_logout_redirect_uri=https:///idp/profile/Logout

2. After getting redirect from oxAuth to https:///idp/profile/Logout IDP do logout

I believe it will be sufficient to modify the above workflow:

  1. Logout entry point should be https://server.name/idp/profile/Logout
  2. as the first action, it should call oxAuth end_session
  3. after return from oxAuth, it should perform all the usual work.

All native SAML logout endopints:

https://server.name/idp/profile/SAML2/Redirect/SLO https://server.name/idp/profile/SAML2/POST/SLO ..etc...

redirect to https://server.name/idp/profile/Logout so if oxAuth end_session is called from there, everything will work OK.

mzico commented 5 years ago

From my findings, SLO working in 3.1.6 as it should be. I will share a screencast today for your evaluation.

On June 28, 2019 2:07:31 PM GMT+06:00, "Marian Ďurkovič" notifications@github.com wrote:

After further analysis, it seems that everything needed from SAML side is already working - the SP could initiate SLO and it is properly propagated to other SAML SPs if user clicks Yes.

The only problem is, that SAML part of Gluu does not notify oxAuth about user logout, so user logged-in state is not destroyed.

@yurem wrote:

Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout /idp/Authn/oxAuth do next:

1. Send requests to oxAuth end_session session endpoint with

post_logout_redirect_uri=https:///idp/profile/Logout

2. After getting redirect from oxAuth to

https:///idp/profile/Logout IDP do logout

I believe it will be sufficient to modify the above workflow:

  1. Logout entry point should be https://server.name/idp/profile/Logout
  2. as the first action, it should call oxAuth end_session
  3. after return from oxAuth, it should perform all the usual work.

All other SAML logout endopints:

https://server.name/idp/profile/SAML2/Redirect/SLO https://server.name/idp/profile/SAML2/POST/SLO ..etc...

redirect to https://server.name/idp/profile/Logout so if oxAuth end_session is called from there, everything will work OK.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/GluuFederation/oxShibboleth/issues/46#issuecomment-506644449

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

durkovic commented 5 years ago

Here is an example flow which doesn't work. User clicked on logout at SP webpage, which triggers SAML request to standard endpoint /idp/profile/SAML2/Redirect/SLO

GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?SAMLRequest=rZbbbqNIEIbv%2F..........
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s1
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s1&_eventId=propagate
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s2
GET https://gluu.server/idp/profile/PropagateLogout?SessionKey=1
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s2&_eventId=proceed

In the above flow, there's no call to oxAuth, i.e. the user stays logged in at Gluu server. You can test at samltest.id

mzico commented 5 years ago

@durkovic :

durkovic commented 5 years ago

Your screencast shows IdP-initiated SLO logout - i.e. when you request SLO on the Gluu IdP server by navigating to that special URL (https://Gluu_Server/idp/Authn/oxAuth/logout), it sends logout requests to all SPs. Yes, that works fine.

However, SP-initiated SLO logout is the problematic one. When SAML application provides logout button, it should request SLO by contacting one of the endpoints described in Gluu's IdP metadata, i.e.

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gluu.server/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gluu.server/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://gluu.server/idp/profile/SAML2/POST-SimpleSign/SLO"/>

Those endpoints work correctly as far as SAML is concerned - they correctly accept SP-initiated SAML logout request and redistribute it to all other SPs. But they don't log the user out of Gluu server.