search

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 591 forks source link

SAML Single Sign On or Single Logout to support HTTP-Redirect Binding #21448

Open shubjit opened 2 years ago

shubjit commented 2 years ago

Describe the use case that you want to enable:

Liberty seems to only support HTTP-POST binding for SAML Login and Logout based on our investigation

<md:SingleLogoutService
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Location="https://......." />

We have configured our applications (RP) with Liberty OP which is further delegated to a SAML IDP. https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-configuring-saml-web-browser-sso-in

We had reports from a clients that SAML Logout was not working when initiated via RP, and this was resolved via #18177

Post apply the fix, there are still a few Clients for whom the SAML logout does not work. While comparing the idpMetadata files we see that for those customer who only have SingleLogoutService HTTP-Redirect binding in the metadata file, the logout does not work.

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.com/mysaml/slo/"/>

For the SAML IdPs where the metadata contains SingleLogoutService HTTP-POST binding , the logout works fine.

Describe why this is important to you: We have reports from Clients where their SAML logout does not work and their IDP only provides HTTP-Redirect binding, mostly for SingleLogoutService.

At the same time, for other applications (Non-Liberty) configured to the SAML IDP with the same idpmetadata file the logout works fine.

Additional context

I can reproduce the SAML logout behaviour locally with Liberty which is configured with SAML Metadata that does contain HTTP-POST binding for SingleLogoutService.

teddyjtorres commented 2 years ago

Hi @shubjit. Thank you for the issue. You are correct that Liberty's SAML Web SSO only supports the HTTP POST binding. This is documented in https://www.ibm.com/docs/en/was-liberty/nd?topic=authentication-saml-20-web-browser-single-sign,

The WebSphere® Application Server Liberty supports the SAML web browser single sign-on profile with HTTP Post bindings, and acts as a SAML service provider.

Therefore, the IdP must support the HTTP Post binding in order for the SLO to work correctly.

Before getting this issue accepted and prioritized, please indicate if your clients already opened an Idea using https://www.ibm.com/support/pages/node/6438917. This would let us know additional details about the requirements and how much interest there is in this enhancement.

Regards, Teddy

shubjit commented 2 years ago

Thank You for the quick response on this @teddyjtorres I will update our clients on the documentation and check if they can enable HTTP-POST on their IDPs.

I think we can lower the priority or close this one out and I will have our clients open an Idea if needed.

rrakich commented 5 months ago

We have found that MS Azure SAML IDP only supports HTTP-Redirect at this time and customers have no option to enable HTTP-Post. Reference documentation: https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol