Support for IdP initiated proxy SLO#1553
Support for IdP initiated proxy SLO#1553m0ark wants to merge 16 commits intosimplesamlphp:masterfrom
Conversation
thijskh
left a comment
There was a problem hiding this comment.
Hi! Thanks for the thorough PR.
I have not reviewed it line by line (yet), did add a few observations. And I notice the base branch is simplesamlphp-1.19. It seems unlikely that we'd merge such a feature there and rather target master.
|
Thanks for your first review. |
thijskh
left a comment
There was a problem hiding this comment.
I've checked the code and believe it to be OK. However, I don't have a lot of experience with the scenario in question nor do I have a representative environment. So I'd like to add the caveat that I have not verified it to actually work myself. If you use this in actual production I'd be quite confident to merge it though.
Did you give any consideration as to whether at least some basic tests could be added for this?
| $lr->setInResponseTo($message->getId()); | ||
|
|
||
| if ($numLoggedOut < count($sessionIndexes)) { | ||
| \SimpleSAML\Logger::warning('Logged out of ' . $numLoggedOut . ' of ' . count($sessionIndexes) . ' sessions.'); |
There was a problem hiding this comment.
It's just a copy of the working code of saml2-logout.php.
I think it is not expected to have any active session indexes left of the current SLO request after reaching this point.
|
Thank you for your thorough review and your helpful annotations. Do you have any pointers on where to add tests for this code? For an environment just create a simple SAML proxy and trigger an IdP initiated SLO request.
|
|
Also closes #1565 |
657a09d to
683a0ea
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #1553 +/- ##
============================================
- Coverage 44.09% 43.85% -0.25%
- Complexity 3680 3696 +16
============================================
Files 156 156
Lines 10889 10951 +62
============================================
+ Hits 4802 4803 +1
- Misses 6087 6148 +61 |
| $returnTo = Module::getModuleURL('core/idp/resumelogout.php', ['id' => $id]); | ||
|
|
||
| $this->authSource->logout($returnTo); | ||
| if (!$skipAsLogout) { |
There was a problem hiding this comment.
I'd like to see strict comparison here
| } | ||
|
|
||
| if ($assocId !== null) { | ||
| if ($assocId !== null || $skipAsLogout) { |
|
I hope I didn't break anything, but I've rebased the lot against |
|
I think the rebasing was not entirely accurate, at least i've spotted the reintroduction of this code: https://github.com/simplesamlphp/simplesamlphp/pull/1553/files#diff-60baa677d9f59b02cd5b3bbd371583dc05eccd0cb0bb74f2003398031fd84f8dR109-R111 |
|
Good catch! I've fixed that.. Something else that needs to change is the www-script.. It should be converted to a Controller |
this is used in proxy mode logout scenario to prevent logging out the authentication source twice.
3b5f5ba to
96357ee
Compare
|
I'm not sure how to fix the conflicts in |
7587851 to
d523b31
Compare
8c90121 to
d534e3b
Compare
bc1c5c8 to
d0a5974
Compare
ccb9b02 to
120a100
Compare
6004a77 to
58bf8db
Compare
5c9fb2c to
0970efc
Compare
c27831c to
71e49f4
Compare
c06a17a to
a52c98d
Compare
Problem
SimpleSAMLphp was not designed to support protocol proxy setups. Fortunately it supports a lot of those use cases.
One particular feature that has always been missing in proxy scenarios is the capability to properly propagate logout (SLO) requests coming from an upstream identity provider. This is because of SimpleSAMLphp IdPs using its SPs as authentication sources. In case of an IdP initiated logout the proxy SP is notified about the logout request and terminates its session properly without knowing about components it has been used by and thus cannot propagate the logout request to.
The result of this behaviour is the users IdP receiving a logout response telling the SLO has properly finished but the proxy IdP(s) still having an active session.
This issue has been discussed in #65 and @relaxnow made a great job implementing a first draft to tackle it (relaxnow@35cffcc).
Nevertheless this implementation was way too tightly coupled to SAML components and lacked a proper differentiation between multiple identity providers.
Solution
This patch is based on the work of @relaxnow and adds a small framework for adding IdP initiated proxy SLO capabilities. It also implements the framework for SAML SPs and SAML/ADFS IdPs to support proxy SLO flows using frontend channels.
It should be possible to add proxy SLO capabilities to other IdP/SP protocol implementations (e.g. OIDC, CAS) using this framework without much of a hassle.
To not break the current behaviour proxy SLO has to be activated by setting
‘proxyLogoutEnable’ => truein each SP configuration.
Components of the framework
•
registerAsConsumerLogoutCallbackTo be called by an authentication source consumer (e.g. IdP). The callback should handle everything that is needed to logout the consumer from its own perspective. In case of an IdP this could be logging out of all associated SPs; in case of a PHP application this could terminate the application local session.
•
hasAsConsumerLogoutCallbacksCheck if authentication source consumer logout callbacks have been registered for this source.
•
callAsConsumerLogoutCallbacksTo be called by a regular authentication source logout routine (e.g. SAML SP SLO handler) to trigger execution of the registered logout callbacks.
•
handleAsConsumerLogoutCallbacksOnly used by
callAsConsumerLogoutCallbacksand the returnTo page that is called in case of the callback not returning immediately (e.g. redirecting, etc).