Versions Compared

Old Version 1

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When an HTTP GET request is made to the /profile/Logout endpoint with a valid IdP session cookie, the corresponding IdP session is ended and the logout.vm view is rendered that informs the user of the following:

  1. The IdP session is ended.

  2. Lists all services accessed during the IdP session, if tracked, and offers to end those sessions by propagating a logout message to each one.

If the user chooses SLO, the logout-propagate.vm view is rendered and the browser mediates (i.e. front-channel) a series of logout messages coordinated via iframes, javascript, and in some cases HTML5 storage. The result is a best-effort attempt to explicitly end each relying party session by sending a protocol-specific message to each service endpoint. In the IdP configuration, the SLO messaging process is called propagation. The

If configured to do so, the IdP attempts to display prominent status information on the result of each attempt to end a relying party session; a red X for failure or a green checkbox for success. This is typically quite limited in accuracy, and many false positives or negatives should be expected. We do not in general recommend displaying this to users, but have not (yet) deprecated support for displaying it.

If the user chooses to end without SLO, logout-complete.vm is rendered and a message is displayed indicating that some relying party sessions may still be active.

By default, the IdP session is terminated regardless of the user's choice. In other words, the question asked is "propagate or not?" rather than "logout or not?". The idp.logout.promptUser property can be set to a Predicate bean that allows the user to make a cancel decision.

Configuration

The idp.session.trackSPSessions property must be enabled to support the SLO propagation feature (it is explicitly enabled by default for new installs but defaults to false).

...

In order for SAML services to participate in SLO, the SAML metadata supplied for them must contain appropriate <SingleLogoutService> endpoints. If there are multiple endpoints that vary by location, the standard does not stipulate how an IdP is to determine which endpoint to use. In V4.2+, the The IdP will attempt to select the endpoint based on the best match possible between the logout endpoint and the original endpoint used to deliver the authentication response.

...

The UI is also, to our understanding, not accessible and is apparently impossible to make accessible. Whether true or not, it definitely is not by default and no fixes for this have been provided. It is believed that hiding the propagation status reporting is accessible, and the idp.logout.propagationHidden 4.2 property exists in V4.2+ to hide this reporting from the user both for accessibility and because of the large number of false positives and negatives that are typically encountered.Finally, the

Preserving Parameters

The design of the logout feature does not support returning control of the user agent to any other system via a "return" parameter or similar mechanism. While this remains officially unsupported, the idp.logout.preserveQuery 4.1 property can be set to true to cause any parameters on the original request to be preserved and made accessible via a ScratchContext object underneath the ProfileRequestContext.

Note

There are some issues to be cautious of with this approach:

  • Note that any kind of redirection strategy that is not constrained in some way will turn the IdP into an Open Redirector. The IdP does not provide any mitigation for that, which is why this is officially unsupported and not enabled by default.

  • Additionally, be aware that if you use the ScratchContext class for your own customizations, you should take care to avoid conflicts and probably avoid using the context directly under the ProfileRequestContext to avoid the risk of a query parameter overriding your own internal state being handled by the context.

Browser Support

The SLO feature requires a fair bit of mature Javascript support, but any browser that supports HTML5 LocalStorage should work (this use of LocalStorage is independent of the choice of storage service, and it applies even when server-side storage is used). While the SLO implementation is based on modern Web standards, browser features vary so greatly that it's hard to identify minimum browser requirements.

Troubleshooting

Since Logout Because the logout propagation feature - as far as the front-channel support is concerned - uses Javascript, all communication with the SPs can be traced in the Web browser. To this end, both the SAML tracer (Firefox Plugin) and the Javascript console in most browsers' developer tools can be helpful in troubleshooting. Common errors can be:

  • The SP’s web Server hat server has set the X-Frame-Options to “sameorigin”, or similar CSP features, which will make generally cause the SLO response from SP exchange to IdP fail.

SAML Logout

SAML Logout is a more complex protocol than the simple variant described above, but the implementation is shared across the two approaches. There are really two "halves" to this:

  1. Responding to requests from an SP

  2. Propagating logout to an SP

This section is about the first case. The propagation step is covered in the previous section and is the same, regardless of how the logout is initiated.

...

Another consideration with SAML logout has to do with the length of time the system will "remember" the SP's session, in order to prevent the session cache from growing endlessly. This can't be done precisely because the IdP doesn't actually know how long the SP's own session might last. The idp.session.defaultSPlifetime and idp.session.slop properties control how long the IdP will "remember" an SP's session. Once elapsed, it's likely that a request for logout will fail from any SP that has expired from the cache.

...

special@anonymous
groupconfluence-users

Advanced Options

Even SPs that support requesting logout may not support receiving them, and many SPs may not care about responses to their requests. In such cases, it is advantageous to simple remove the <md:SingleLogoutService> endpoints from their metadata. Unfortunately this fails due to the IdP's requirement to try and issue a response in most cases, and results in an error.

A

...

property named idp.logout.assumeAsync

...

(if true) allows requests to be treated as though they carried the <aslo:Asynchronous> extension element, which tells the IdP that no response is needed. This allows the removal of endpoints from SP metadata to be an effective means of mitigating such problems with SPs by allowing inbound logout to the IdP while preventing outbound logout.

A bean is also exposed

...

to allow message level encryption of <NameID> values to be suppressed based on Format. This is primarily suported to improve efficiency, given that many SPs rely on the urn:oasis:names:tc:SAML:2.0:nameid-format:transient format, which isn't all that important to encrypt. A typical bean definition in conf/global.xml:

Code Block
    <util:set id="shibboleth.PlaintextNameIDFormats">
        <util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.ENTITY" />
        <util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.TRANSIENT" />
    </util:set

Administrative Logout

...

It is possible to log out sessions administratively. Right now this capability is confined to the IdP session (and that’s all that will ever be practical) and is implemented by means of revoking the authentication state of a subject. See AdministrativeLogoutConfiguration.

...

Expand
titleProperties

Name

Type

Default

Description

idp.session.trackSPSessions

Boolean

false

Whether to store references to SP sessions in the IdP session to support logout propagation

idp.session.secondaryServiceIndex

Boolean

false

Whether to store NameID backreferences in the IdP session to support SAML 2.0 logout

idp.logout.elaboration

Boolean

false

Whether to search metadata for user interface information associated with every service involved in logout propagation

idp.logout.authenticated

Boolean

true

Whether to require signed logout messages in accordance with the SAML 2.0 standard

idp.logout.promptUser

Bean ID of Predicate<ProfileRequestContext>

false

If the bean returns true, the user is given the option to actually cancel the IdP logout outright and prevent removal of the session

idp.artifact.enabled

Boolean

true

Controls use of HTTP-Artifact binding for outbound logout messages

idp.logout.preserveQuery 4.1

Boolean

false

Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic

idp.logout.assumeAsync 4.2

Boolean

false

When true, allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints

idp.logout.propagationHidden 4.2

Boolean

false

Applies the "display:none" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user

idp.soap.httpClient 4.2

Bean ID of HttpClient to use for SOAP-based logout

SOAPClient.HttpClient

Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP)

Expand
titleBeans

The following may be defined in conf/global.xml if needed.

Name

Type

Default

Description

shibboleth.PlaintextNameIDFormats 4.2

                                                                              

Set<String>

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

Set of <NameID> Formats which need not be encrypted in messages, notwithstanding other settings

...