Do the external providers support back channel logout?

They do support front channel logout. I am not sure if they do/don't support back channel, I have raised the query with them to check if it is supported. I will update this ticket once I have the response.

Does gluu support back channel external provider logout? Would be helpful if you can point me to the relevant docs.

Logout is initiated by the application (the "SP" or "RP" depending on which protocol you're using). When the user logs out of an app, it can send the end session to the external IDPs. Keep in mind, once a user gets a session in an *external* IDP, the session is now outside the control of Gluu. Closing this ticket out, as the basic question has been answered. If you run into specific questions during implementation, please feel free to open a new ticket. But your implementation should simply depend on configuration in your app, and in your external IDPs -- i.e. not Gluu, unless the external IDPs are Gluu Servers themselves.

I am sorry but that is not a very satisfactory answer. Also it is not a very pleasant custom service to close the ticket w/o getting the response from the customer to check if the response has actually answered the question. The application does not know if it is authenticated with an external provider, the app is authenticated with Gluu and token/session is provided by Gluu. What we are looking to achieve is when application ends session with Gluu we would like to end session with the external IDP, assuming Gluu knows which external IDP was used to authenticate user?

I re-opened the issue. This is a very tricky use case. Keep in mind that logout is an industry challenge--it's not specific to any vendor. In reality, logout is an asynchronous process: a person initiates a logout (somewhere), and then this requires coordination with a number of websites and IDP's. However, the user does not want to wait a long time for a logout confirmation. This is why the problem is asynchronous, you need to return quickly, and ideally some messages would be sent (or re-sent if necessary), until the logout is achieved. There is a new IETF effort called "Security Events" which is attempting to put together such a solution. However, don't hold your breath for websites and IDP's to support it. No one knows when and if that will happen. In the meantime, logout scenarios need to be considered , and a solution designed, on a case by case basis. You need to take into consideration all the protocols. It's common that a person logs into a SAML IDP, navigates to some SAML protected websites, and then goes to sites protected by OpenID Connect. Of course, OpenID Connect and SAML have different logout mechanisms. Also keep in mind that websites have their own application session, and perhaps their own requirements for logout (which may or may not align with federated identity standards). This can lead to a toxic combination of logout requirements. In version 3.1.6. ``` html += "<script>" + "window.onload=function() {" + "window.location='" + postLogoutUrl + "'" + "}" + "</script>"; } html += "<title>Gluu Generated logout page</title>" + "</head>" + "<body>" + "Logout requests sent.<br/>" + iframes + "</body>" + "</html>"; ``` When processing this code, oxAuth loads grant and find all the clients which assosciated with it. Passport-js is connected to oxAuth via an Authentication interception script. In this script, there is a `logout` method which is invoked at logout, and could be used to make back-channel calls. If that is not going to work, there is a custom workarounds. You can develop a custom landing page to handle the various logouts--both to the Gluu Server, and then to the respective backend IDPs. But this is outside the services provided on this support forum. Your developers, or a professional services provider would implement this solution, and ask any questions about challenges uncovered along the way here. In version 4.1, we are considering adding another custom interception script for "Person Logout", in which we would offer the ability to overwrite the default logout behaviour described above, and to enable the generation of a page according to this business logic. Hope that helps. We can keep the issue open, but let us know what is your specific question from here.

I'm also interested in SLO for an external IDP. In my situation, I am providing an external metadata file to my external IDP maintainer. I can get this metadata by reading from `https://<hostname>/passport/auth/meta/idp/<IDP-id-from-passport-saml-config>`. Other access solutions have a similar strategy for getting this metadata.xml, and they generally have a a field marked `SingleLogoutService`, e.g. `<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my-tenant.auth0.com/logout"/>` When I get the metadata.xml from Gluu, I only see the `AssertionConsumerService` and no field marked `SingleLogoutService`. Is this expected? I'm not sure how @Michael.Schwartz's answer above is related to my problem, but it's very possible I just don't understand well enough. Thanks!

`SingleLogoutService` looks like it's support by [passport-saml](https://github.com/bergie/passport-saml/) Maybe it's not configured. We'll look into it. BTW, I was just saying to lower your expectations about logout, because it's very buggy in federated identity protocols like SAML and OpenID Connect.

Yes, I think you're right, it is supported. Looking at the source for gluu-passport: https://github.com/GluuFederation/gluu-passport/blob/master/server/routes.js It looks like an endpoint for logout does not exist yet on this gluu-passport service. It may just be a matter of adding that endpoint and configuring passport saml. I'm also a little confused as to how the script I see in gluu for passport relates to the gluu passport service. Regardless, I did a quick search in that jython script for anything logout related. There is a single method that looks like a stub: ``` def logout(self, configurationAttributes, requestParameters): return True ``` Thanks for the quick answers!

Your original question was how to logout of the external IDP when the user logs out of Gluu. I believe the `SingleLogoutService` is an endpoint for the passport SAML SP to listen for logout requests from the external IDP (not the other way around). In the Gluu Server, there is a an "Application Session" script. This might be the way to go. I wonder if you could redirect the users browsers to the logout endpoint of the remote IDP, or use some backchannel mechanism to signal the logout. Either way, it will require some testing for your actual IDPs, and it might take some tweaking to get it to work.

Hi Mackenzie , Not present in passport-saml library docs (probably suggesting the low interest in logout), but one can do something like `strategy.logout(req, callback)` and this will send a logout request to the IDP (more specifically to the `logoutUrl` which can be specified as part of the strategy options) IDP then will call the `logoutCallbackUrl` (part of options too), which would have to be an endpoint in passport SP. As soon as `logoutCallbackUrl` is set in the options, `SingleLogoutService` tag will appear in metadata file. Passport SP is part of a mechanism that enables access to OIDC RPs by leveraging authentication at external IDPs. Thus, as your requirement states ("logout of the external provider when user is logging out of gluu"), you have to trigger the IPD logout directly from RPs. This is basically what Michael suggest with usage of the "Application Session" script. So basically, no changes in passport SP. There is also the alternative already mentioned around using `logout` method of passport_saml script to do it the backchannel way. BTW I found [this](https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues) interesting reading about SLO issues.

I'm closing this, open a new ticket if needed.