-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for IdP initiated proxy SLO #1553
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! Thanks for the thorough PR.
I have not reviewed it line by line (yet), did add a few observations. And I notice the base branch is simplesamlphp-1.19. It seems unlikely that we'd merge such a feature there and rather target master.
Thanks for your first review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've checked the code and believe it to be OK. However, I don't have a lot of experience with the scenario in question nor do I have a representative environment. So I'd like to add the caveat that I have not verified it to actually work myself. If you use this in actual production I'd be quite confident to merge it though.
Did you give any consideration as to whether at least some basic tests could be added for this?
$lr->setInResponseTo($message->getId()); | ||
|
||
if ($numLoggedOut < count($sessionIndexes)) { | ||
\SimpleSAML\Logger::warning('Logged out of ' . $numLoggedOut . ' of ' . count($sessionIndexes) . ' sessions.'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this a warning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just a copy of the working code of saml2-logout.php.
I think it is not expected to have any active session indexes left of the current SLO request after reaching this point.
Thank you for your thorough review and your helpful annotations. Do you have any pointers on where to add tests for this code? For an environment just create a simple SAML proxy and trigger an IdP initiated SLO request. |
Also closes #1565 |
657a09d
to
683a0ea
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #1553 +/- ##
============================================
- Coverage 44.09% 43.85% -0.25%
- Complexity 3680 3696 +16
============================================
Files 156 156
Lines 10889 10951 +62
============================================
+ Hits 4802 4803 +1
- Misses 6087 6148 +61 |
lib/SimpleSAML/IdP.php
Outdated
@@ -484,9 +520,11 @@ public function handleLogoutRequest(array &$state, ?string $assocId): void | |||
$id = Auth\State::saveState($state, 'core:Logout:afterbridge'); | |||
$returnTo = Module::getModuleURL('core/idp/resumelogout.php', ['id' => $id]); | |||
|
|||
$this->authSource->logout($returnTo); | |||
if (!$skipAsLogout) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see strict comparison here
lib/SimpleSAML/IdP.php
Outdated
|
||
if ($assocId !== null) { | ||
if ($assocId !== null || $skipAsLogout) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here
I hope I didn't break anything, but I've rebased the lot against |
I think the rebasing was not entirely accurate, at least i've spotted the reintroduction of this code: https://github.com/simplesamlphp/simplesamlphp/pull/1553/files#diff-60baa677d9f59b02cd5b3bbd371583dc05eccd0cb0bb74f2003398031fd84f8dR109-R111 |
Good catch! I've fixed that.. Something else that needs to change is the www-script.. It should be converted to a Controller |
this is used in proxy mode logout scenario to prevent logging out the authentication source twice.
c7c8357
to
fdbe001
Compare
3b5f5ba
to
96357ee
Compare
I'm not sure how to fix the conflicts in |
7587851
to
d523b31
Compare
8c90121
to
d534e3b
Compare
bc1c5c8
to
d0a5974
Compare
ccb9b02
to
120a100
Compare
6004a77
to
58bf8db
Compare
5c9fb2c
to
0970efc
Compare
Problem
SimpleSAMLphp was not designed to support protocol proxy setups. Fortunately it supports a lot of those use cases.
One particular feature that has always been missing in proxy scenarios is the capability to properly propagate logout (SLO) requests coming from an upstream identity provider. This is because of SimpleSAMLphp IdPs using its SPs as authentication sources. In case of an IdP initiated logout the proxy SP is notified about the logout request and terminates its session properly without knowing about components it has been used by and thus cannot propagate the logout request to.
The result of this behaviour is the users IdP receiving a logout response telling the SLO has properly finished but the proxy IdP(s) still having an active session.
This issue has been discussed in #65 and @relaxnow made a great job implementing a first draft to tackle it (relaxnow@35cffcc).
Nevertheless this implementation was way too tightly coupled to SAML components and lacked a proper differentiation between multiple identity providers.
Solution
This patch is based on the work of @relaxnow and adds a small framework for adding IdP initiated proxy SLO capabilities. It also implements the framework for SAML SPs and SAML/ADFS IdPs to support proxy SLO flows using frontend channels.
It should be possible to add proxy SLO capabilities to other IdP/SP protocol implementations (e.g. OIDC, CAS) using this framework without much of a hassle.
To not break the current behaviour proxy SLO has to be activated by setting
‘proxyLogoutEnable’ => true
in each SP configuration.
Components of the framework
•
registerAsConsumerLogoutCallback
To be called by an authentication source consumer (e.g. IdP). The callback should handle everything that is needed to logout the consumer from its own perspective. In case of an IdP this could be logging out of all associated SPs; in case of a PHP application this could terminate the application local session.
•
hasAsConsumerLogoutCallbacks
Check if authentication source consumer logout callbacks have been registered for this source.
•
callAsConsumerLogoutCallbacks
To be called by a regular authentication source logout routine (e.g. SAML SP SLO handler) to trigger execution of the registered logout callbacks.
•
handleAsConsumerLogoutCallbacks
Only used by
callAsConsumerLogoutCallbacks
and the returnTo page that is called in case of the callback not returning immediately (e.g. redirecting, etc).