SAML2 SLO

[Ma27]

Describe the bug Currently, it's possible to define a logouturl for the SAML provider (since https://github.com/Ylianst/MeshCentral/issues/3202).

That however doesn't seem sufficient for a proper SLO logout, see also https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout. In fact, redirecting to the IdP's logout URL is insufficient, since it complains about a missing SAML payload (as expected).

cc @Ylianst

[buckybytes]

From your link:

After looking through the code. It appears as if what is currently implemented is the expected behavior. The logouturl parameter is only used in Step 11 from the diagram. There currently isn't any mechanism in place for step 2, which is what you'd like MeshCentral to do. I'm not certain if step 10 would have to be handled at all, but it is possible depending on the IdP.

It also doesn't appear as if any other SSO providers have this implemented yet either. I was hoping to find some code in the OpenID handlers I could use as a template for you, but no such luck.

You can jump through some hoops on the IdP side of things sometimes. That's what I ended up doing with my openid provider. It would be a nice feature to have, though.