SAML SLO Logout

By: Miguel Foo user 21 Aug 2017 at 11:44 a.m. CDT

6 Responses
Miguel Foo gravatar
Heya, I've configured SLO from OIDC side of things and it works great, however I'm now trying to Logout from all my SAML applications and I'm a bit confused: As per https://gluu.org/docs/ce/operation/logout/, it talks about using the iframes which is fine. However, SAML(Shibboleth) does not implement it in a meaningful way. My question is, since I have an internal environment that I have tight control over, can I not just have a route on my SAML application that participates in the iframe concert happening when I hit `/end_session`? I guess the biggest question is where do I get the `token_id_hint` from if that's the case? The second question is, does `/idp/logout.jsp` also kill all the OIDC sessions? And finally, I'm not sure what the SP Logout URL field in the TR window do? is that equivalent to the `Front Channel Logout URI` in the OIDC panel? Sorry for all the questions, but thanks in advance!
OS Version : N/A
closed

Answers

By Aliaksandr Samuseu staff 21 Aug 2017 at 3:16 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Miguel. For SAML, we don't have much options in terms of SLO. In 2.4.4 which used IdPv2, there wasn't any good way to handle it. They enhanced it in IdPv3 a bit, I believe, but I'm not sure support for those new SLO ways is already added to Gluu in 3.0.x. The only officially supported way to logout in 3.0.x is by SP sending user to `/idp/logout.jsp`. >The second question is, does /idp/logout.jsp also kill all the OIDC sessions? Yes, it should at least. To be specific, it should kill user's oxAuth session. If OIDC frontchannel logout and/or session management specs are employed in your setup, it also should trigger logout at OIDC apps user was logged in to at that moment. >And finally, I'm not sure what the SP Logout URL field in the TR window do? is that equivalent to the Front Channel Logout URI in the OIDC panel? Let me check this out. We may need to cover it properly in docs, perhaps.

By Miguel Foo user 24 Aug 2017 at 12:11 a.m. CDT

Copy
Miguel Foo gravatar
Great! I did some testing on my own and navigating to `/idp/logout.jsp` may kill the session in gluu but it doesn't run the frontchannel logout in the iframe as I would have expected for my OIDC clients or all SAML clients. Is there any way of doing this that you can recommend? At the moment, I'm getting the impression there is no good SLO strategy that caters to both SAML and OIDC. Unless you use a custom script(ie, backchannel logout), and even then, you have to figure out a way to deal with clearing the user's session information on the browser(Or Perhaps eagerly checking to make sure their gluu token information is valid on any request is the answer?)

By Aliaksandr Samuseu staff 24 Aug 2017 at 1:45 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Miguel. Thanks for your report. I'm forwarding this question to our dev team. Let's hear their opinion.

By Miguel Foo user 24 Aug 2017 at 9:02 p.m. CDT

Copy
Miguel Foo gravatar
Great! I'm hoping I'm just missing something obvious

By Aliaksandr Samuseu staff 18 Sep 2017 at 8:55 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Miguel. Sorry for the late response. According to dev team, logging out by calling `/idp/logout.jsp` should render said iframes properly. I also can confirm it's like this in the latest Gluu CE 3.1 package. The only issue I've spotted so far is that if `http://` scheme is used for frontchannel logout url, my browser (Chrome) doesn't produce an HTTP request to this destination. But it's not clear at the moment whether it's Gluu or Crome issue. If `https://` scheme is used, though, everything works as expected. Can it be you also used `http://` in this url? Otherwise, could you explain what made you think this iframe is not rendered correctly in your case?

By Miguel Foo user 19 Sep 2017 at 4:33 p.m. CDT

Copy
Miguel Foo gravatar
That might explain it! I'll do some testing to see if the https is the issue. I was using it on my local so it very well may be. Thanks for the reply

Post an answer