elasticmachine
commented
4 years ago Pinging @elastic/kibana-security (Team:Security)
Open azasypkin opened 4 years ago
elasticmachine
commented
4 years ago Pinging @elastic/kibana-security (Team:Security)
legrego
commented
3 years ago Once Core's HttpResources can support POST method in addition to GET we can handle SLO Responses coming via both HTTP-Redirect and HTTP-POST bindings
@azasypkin / @restrry do either if you know if there is an issue for this yet that we can track?
mshustov
commented
3 years ago @legrego created https://github.com/elastic/kibana/issues/80822
Summary
If Identity Provider supports SAML Single Logout (SLO) and Elasticsearch is configured to support that as well, user may be redirected to Kibana's
/logoutendpoint withSAMLResponseparameter that includes SAML Logout Response as the final step of the SLO.Currently neither Kibana nor Elasticsearch can properly consume that logout responses, but Elasticsearch will be able to do so soon (https://github.com/elastic/elasticsearch/pull/56316). Until then users may have a very confusing experience during logout: when at the final stage of SLO Kibana receives logout response user will be redirected to the Kibana home page that will automatically trigger new SAML authentication (or redirect to Login Selector if multiple providers are configured). And if IdP isn't forced to re-athenticate user every time user will be automatically logged in again. For users that are not aware of such behavior it may look like logout didn't work at all.
The fix for this behavior consists of three stages:
:heavy_check_mark:
Authenticatorcan add a special handling code for the logout responses like it already has for logout requests and redirect user to/logged_outpage instead. Logout response will be just ignored in this case (we can potentially do it now for 6.8+, merged, https://github.com/elastic/kibana/pull/69676).:heavy_check_mark: Once Elasticsearch can consume logout responses, Kibana will be passing them to Elasticsearch before redirecting user to
/logged_out(7.9.0+, merged, elastic/elasticsearch#56316)Once Core's
HttpResourcescan supportPOSTmethod in addition toGETwe can handle SLO Responses coming via both HTTP-Redirect and HTTP-POST bindings (cc @restrry, https://github.com/elastic/kibana/issues/80822, https://github.com/elastic/kibana/issues/27156)