Support SAML Single Logout (SLO)

[richard-cox]

SURE-3572

• Users currently only log out from local auth, or in the case of SSO external auth providers just clear local content and direct the user back to log in page... they are not signed out of the external auth provider.
• Some customers have requested that Logging out of rancher should also log them out of the external auth provider
• This only makes sense for some auth providers, and in a limited way
• Linked SURE details how this should work, but briefly
  • Should be configurable (admins can enable / disable)
  • Can be optional (admins can choose to force it, or allow both types of logout)

[andreas-kupries]

Info from the referenced PR:

1. Extended AuthConfig, SamlConfig with the proposed flags about SLO (supported, enabled, forced).
2. Based on the CRD setup the supported flag might be nonsense.
3. As in, cannot be set into the initial AuthConfig CR instances. UI may have to simply know that only the SAML providers support SLO, and none of the others.
4. New structures SamlConfigLogoutInput, and ...Output. Same fields as the known SamlConfigTest... structures. Hold the request/response data from/to the UI for the logoutAll action (see below).
5. The tokens API should export a new action logoutAll.
6. Basic implemention of the logout flow. Compiles, untested.
7. Linkage between token manager and saml to invoke the flow from the frontend

KNOWN ISSUES: Does not guard against call of regular logout when SLO is forced. Does guard against forced but not enabled, and call to logout-all when not enabled.

I hope that is enough to get UI work somewhat started, even without a Rancher image containing this.

[cnotv]

FYI we do not have logout tests with credentials

[gaktive]

@richard-cox with what else is on your 2.9.0 plate, is this something that @aalves08 can pick up?

[richard-cox]

Happy to hand over and offer guidance if needed

[aalves08]

@rancher/docs the documentation for rancher manager will need updating in regards to how they should configure the Single Logout on each of the SAML providers. Ex: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml

Final UX will be coming soon (PR https://github.com/rancher/dashboard/pull/11182 is still WIP)

[sunilarjun]

Hello @aalves08, I have created a docs issue for this and any docs related questions or comments can be directed there. Thank you!

[richard-cox]

@gaktive I've moved this to backend blocked given an issue we see with Okta.

@andreas-kupries has confirmed his backend changes and our frontend changes work with Keycloack SAML however there's an issue he's following up with when using okta. In theory we could merge our side however it would be good to validate changes in okta and a bit of dev testing ourside as well

[gaktive]

Backend won't be able to complete this in time for 2.9.0 so pushing to 2.10.0