Implement SLO from SP/IDP/oxAuth
Opened this issue · 11 comments
The entry point of logout flow should be: https://sp.gluu.org/Shibboleth.sso/Logout
This is one of the working possible flows:
SP Logout -> https://[hostname]/idp/Authn/oxAuth/logout -> ./oxauth/restv1/end_session?… -> /idp/profile/Logout…
It will be nice if we have back-channel logout:
https://github.com/GluuFederation/foss-iam-book/blob/master/chapter3/chapter3.md#single-logout-profile-slo
Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout
/idp/Authn/oxAuth do next:
- Send requests to oxAuth end_session session endpoint with post_logout_redirect_uri=https:///idp/profile/Logout
- After getting redirect from oxAuth to https:///idp/profile/Logout IDP do logout
If we need to call at the end SP logout https://sp.gluu.org/Shibboleth.sso/Logout we can change /opt/shibboleth-idp/views/logout.vm to call this endpoint.
With back-channel logout the flow will be simpler.
@mzico Let me know if we need to improve this flow in 4.0
@yurem : I have reports from two customers: number_1: Satisfied but want to customize the landing page. number_2: still testing. I think we are good to go with this solution you provided for now.
Gluu is using Shibboleth as an extension - i.e. during login it forwards authentication work to oxAuth. All login endopoints are doing this fine:
https://server.name/idp/profile/SAML2/Redirect/SSO
https://server.name/idp/profile/SAML2/POST/SSO
...etc...
However, it seems that logout endpoints are not yet notifying oxAuth to destroy the user session on Gluu server.
I believe all Shibboleth's logout endpoints, i.e.
https://server.name/idp/profile/SAML2/Redirect/SLO
https://server.name/idp/profile/SAML2/POST/SLO
https://server.name/idp/profile/Logout
...etc..
need to call oxAuth logout procedure as the first step - to destroy user session at Gluu server.
Otherwise SAML SPs are unable to execute SSO Logout properly.
You can test e.g. on samltest.id that the current solution does not logout user from oxAuth.
After further analysis, it seems that everything needed from SAML side is already working - the SP could initiate SLO and it is properly propagated to other SAML SPs if user clicks Yes.
The only problem is, that SAML part of Gluu does not notify oxAuth about user logout, so user's logged-in state is not destroyed.
@yurem wrote:
Current Logout entry point is https://%(hostname)s/idp/Authn/oxAuth/logout
/idp/Authn/oxAuth do next:1. Send requests to oxAuth end_session session endpoint with post_logout_redirect_uri=https:///idp/profile/Logout 2. After getting redirect from oxAuth to https:///idp/profile/Logout IDP do logout
I believe it will be sufficient to modify the above workflow:
- Logout entry point should be https://server.name/idp/profile/Logout
- as the first action, it should call oxAuth end_session
- after return from oxAuth, it should perform all the usual work.
All native SAML logout endopints:
https://server.name/idp/profile/SAML2/Redirect/SLO
https://server.name/idp/profile/SAML2/POST/SLO
..etc...
redirect to https://server.name/idp/profile/Logout
so if oxAuth end_session is called from there, everything will work OK.
Here is an example flow which doesn't work.
User clicked on logout at SP webpage, which triggers SAML request to standard endpoint
/idp/profile/SAML2/Redirect/SLO
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?SAMLRequest=rZbbbqNIEIbv%2F..........
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s1
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s1&_eventId=propagate
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s2
GET https://gluu.server/idp/profile/PropagateLogout?SessionKey=1
GET https://gluu.server/idp/profile/SAML2/Redirect/SLO?execution=e10s2&_eventId=proceed
In the above flow, there's no call to oxAuth, i.e. the user stays logged in at Gluu server.
You can test at samltest.id
- Screencast : https://www.youtube.com/watch?v=xssGsd8Wxfw&feature=youtu.be
- Description:
- Two SAML SPs.
localsp.gluu.organdlocalsp2.gluu.org - One OpenID connect RP:
localrp.gluu.org - Gluu Server 3.1.6 DE.
- Initiated SSO from
localsp.gluu.org: success - Initiated SSO from
localsp2.gluu.org: success - Used Gluu Server's Logout link to logout from
localsp2.gluu.org:https://Gluu_Server/idp/Authn/oxAuth/logout: success - Logout happened + SLO happened
- Initiated SSO from OpenID connect RP (
localrp.gluu.org).- It's asking for authentication
- New tab: tried old SAML SPs; all require authentication.
- Two SAML SPs.
Your screencast shows IdP-initiated SLO logout - i.e. when you request SLO on the Gluu IdP server by navigating to that special URL (https://Gluu_Server/idp/Authn/oxAuth/logout), it sends logout requests to all SPs. Yes, that works fine.
However, SP-initiated SLO logout is the problematic one. When SAML application provides logout button, it should request SLO by contacting one of the endpoints described in Gluu's IdP metadata, i.e.
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gluu.server/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gluu.server/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://gluu.server/idp/profile/SAML2/POST-SimpleSign/SLO"/>
Those endpoints work correctly as far as SAML is concerned - they correctly accept SP-initiated SAML logout request and redistribute it to all other SPs. But they don't log the user out of Gluu server.