SLO: redirectTo parameter for the logout URL #372
Conversation
…fter SLO is finished
…fter SLO is finished
|
SAML logout shouldn't put your user in some sort of cascade of different logout urls's for different SP's. |
|
as far as i understand that's what SAML SLO is supposed to do, here is a comprehensive explanation of SAML SP-initiatited SLO: https://www.portalguard.com/blog/2016/06/20/saml-single-logout-need-to-know/
I'm not an expert though, so let me know if I understood it wrong |
|
Yes, but those requests and responses are backchannel for the most part. Not a forward. |
|
OK, i did not know there was a backchannel method.. I did some research and could not find proper documentation on how to set something like this up. Seems to be more complicated and there is quite some software out there who supports SAML but only with frontchannel SLO. But there is definitely a method that uses frontchannel redirects to implement SAML SLO (as we are doing in our setup) and for that I would still appreciated if my pull request could be considered. |
|
@soudis A SLO request from the IDP, isn't "just a forwarded get/post request" to a certain url... It's actually a specific datapackage, that contains more than just a token. |
|
I know that there is a data package, but what I could see is that SAML backchannel SLO works with SAML artifacts which may not be implemented at every SP. If you have any link or resource that may clear things up for me, pls let me know. I may be too much of a noob to get anything meaningful out of your short replies. Here's the excerpt of the resource which describes the frontchannel method, which really seems to be the more commonly used SAML SLO method: SAML Single Logout – How It WorksThere are different modes of operations within SLO. What follows describes the “Asynchronous” or “Front Channel” model which uses HTTP redirection through the end-user’s browser. This is the model supported in our very own PortalGuard product. There is also a “Synchronous” or “Back Channel” model which only involves server-to-server communication that does not utilize the user’s web browser as a conduit. The synchronous model is not covered in this article. SP-initiated SAML Single Logout
|
|
Ahh yes, thats possible, but very non-standard. Certainly considering the fact the user_saml devs are ignoring the fact SLO is broken for ages now. |
Szenario
I have a nextcloud server and a discourse server. The discourse server authenticates through it's own SSO mechanism with nextcloud using the discoursesso app for nextcloud (maintained by me). Nextcloud itself authenticates using SAML against a SimpleSAMLPhp IDP.
Everything works just fine, except the logout. When the user hits logout in discourse it redirects to the logout endpoint of the discoursesso app, which then redirects to the SAML logout URL of the user_saml app. Then the SLO process is taking place, but at the end the user is redirected to the nextcloud URL.
Expected behaviour
The user should be redirected to the discourse URL (where the logout request came from).
Actual behaviour
After the SAML SLO procedure is finished the user is redirected to '/', meaning the cloud base URL.
Explaination
This can of course not be done by the user_saml app, because the logout request comes from discourse to the discoursesso app, which the redirects to the logout URL, so user_saml does not know about the origin. But the discoursesso app would be able to pass a redirectTo parameter to the user_saml app with the logout URL.
e.g.:
https://cloud.habidat.local/apps/user_saml/saml/sls?requesttoken=aY.......D&returnTo=https://discourse.example.orgWith a simple patch the SAMLController.php could then pass the returnTo as a RelayState to $auth->logout and after the SLO response from the Idp is received it can redirect to the url using the RelayState parameter the Idp passes along.
I'm not 100% sure about side effects, as my knowledge of all the SAML use cases is limited and some my be affected by this. Maybe you guys have the knowledge to assess the side affects?