Support for IdP initiated proxy SLO #1553
Conversation
|
Thanks for your first review. |
There was a problem hiding this comment.
I've checked the code and believe it to be OK. However, I don't have a lot of experience with the scenario in question nor do I have a representative environment. So I'd like to add the caveat that I have not verified it to actually work myself. If you use this in actual production I'd be quite confident to merge it though.
Did you give any consideration as to whether at least some basic tests could be added for this?
| $lr->setInResponseTo($message->getId()); | ||
|
|
||
| if ($numLoggedOut < count($sessionIndexes)) { | ||
| \SimpleSAML\Logger::warning('Logged out of ' . $numLoggedOut . ' of ' . count($sessionIndexes) . ' sessions.'); |
There was a problem hiding this comment.
It's just a copy of the working code of saml2-logout.php.
I think it is not expected to have any active session indexes left of the current SLO request after reaching this point.
|
Thank you for your thorough review and your helpful annotations. Do you have any pointers on where to add tests for this code? For an environment just create a simple SAML proxy and trigger an IdP initiated SLO request.
|
|
Also closes #1565 |
tvdijen
force-pushed
the
proxy-logout-v1.19.1
branch
from
657a09d
to
683a0ea
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #1553 +/- ##
============================================
- Coverage 44.09% 43.85% -0.25%
- Complexity 3680 3696 +16
============================================
Files 156 156
Lines 10889 10951 +62
============================================
+ Hits 4802 4803 +1
- Misses 6087 6148 +61 |
lib/SimpleSAML/IdP.php
Outdated
| @@ -484,9 +520,11 @@ public function handleLogoutRequest(array &$state, ?string $assocId): void | |||
| $id = Auth\State::saveState($state, 'core:Logout:afterbridge'); | |||
| $returnTo = Module::getModuleURL('core/idp/resumelogout.php', ['id' => $id]); | |||
|
|
|||
| $this->authSource->logout($returnTo); | |||
| if (!$skipAsLogout) { | |||
There was a problem hiding this comment.
I'd like to see strict comparison here
lib/SimpleSAML/IdP.php
Outdated
|
|
||
| if ($assocId !== null) { | ||
| if ($assocId !== null || $skipAsLogout) { |
|
I hope I didn't break anything, but I've rebased the lot against |
|
I think the rebasing was not entirely accurate, at least i've spotted the reintroduction of this code: https://github.com/simplesamlphp/simplesamlphp/pull/1553/files#diff-60baa677d9f59b02cd5b3bbd371583dc05eccd0cb0bb74f2003398031fd84f8dR109-R111 |
|
Good catch! I've fixed that.. Something else that needs to change is the www-script.. It should be converted to a Controller |
this is used in proxy mode logout scenario to prevent logging out the authentication source twice.
tvdijen
force-pushed
the
master
branch
3 times, most recently
from
c7c8357
to
fdbe001
Compare
tvdijen
force-pushed
the
master
branch
8 times, most recently
from
3b5f5ba
to
96357ee
Compare
|
I'm not sure how to fix the conflicts in |
tvdijen
force-pushed
the
master
branch
5 times, most recently
from
7587851
to
d523b31
Compare
tvdijen
force-pushed
the
master
branch
3 times, most recently
from
8c90121
to
d534e3b
Compare
tvdijen
force-pushed
the
master
branch
2 times, most recently
from
bc1c5c8
to
d0a5974
Compare
tvdijen
force-pushed
the
master
branch
3 times, most recently
from
ccb9b02
to
120a100
Compare
tvdijen
force-pushed
the
master
branch
2 times, most recently
from
6004a77
to
58bf8db
Compare
tvdijen
force-pushed
the
master
branch
2 times, most recently
from
5c9fb2c
to
0970efc
Compare
Problem
SimpleSAMLphp was not designed to support protocol proxy setups. Fortunately it supports a lot of those use cases.
One particular feature that has always been missing in proxy scenarios is the capability to properly propagate logout (SLO) requests coming from an upstream identity provider. This is because of SimpleSAMLphp IdPs using its SPs as authentication sources. In case of an IdP initiated logout the proxy SP is notified about the logout request and terminates its session properly without knowing about components it has been used by and thus cannot propagate the logout request to.
The result of this behaviour is the users IdP receiving a logout response telling the SLO has properly finished but the proxy IdP(s) still having an active session.
This issue has been discussed in #65 and @relaxnow made a great job implementing a first draft to tackle it (relaxnow@35cffcc).
Nevertheless this implementation was way too tightly coupled to SAML components and lacked a proper differentiation between multiple identity providers.
Solution
This patch is based on the work of @relaxnow and adds a small framework for adding IdP initiated proxy SLO capabilities. It also implements the framework for SAML SPs and SAML/ADFS IdPs to support proxy SLO flows using frontend channels.
It should be possible to add proxy SLO capabilities to other IdP/SP protocol implementations (e.g. OIDC, CAS) using this framework without much of a hassle.
To not break the current behaviour proxy SLO has to be activated by setting
‘proxyLogoutEnable’ => truein each SP configuration.
Components of the framework
•
registerAsConsumerLogoutCallbackTo be called by an authentication source consumer (e.g. IdP). The callback should handle everything that is needed to logout the consumer from its own perspective. In case of an IdP this could be logging out of all associated SPs; in case of a PHP application this could terminate the application local session.
•
hasAsConsumerLogoutCallbacksCheck if authentication source consumer logout callbacks have been registered for this source.
•
callAsConsumerLogoutCallbacksTo be called by a regular authentication source logout routine (e.g. SAML SP SLO handler) to trigger execution of the registered logout callbacks.
•
handleAsConsumerLogoutCallbacksOnly used by
callAsConsumerLogoutCallbacksand the returnTo page that is called in case of the callback not returning immediately (e.g. redirecting, etc).