LogoutConfiguration
File(s): conf/idp.properties, views/logout.vm, views/logout-complete.vm, views/logout-propagate.vm
SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it.
Proprietary/Simple Logout
Overview
When an HTTP GET request is made to the /profile/Logout endpoint with a valid IdP session cookie, the corresponding IdP session is ended and the logout.vm view is rendered that informs the user of the following:
The IdP session is ended.
Lists all services accessed during the IdP session, if tracked, and offers to end those sessions by propagating a logout message to each one.
If the user chooses SLO, the logout-propagate.vm view is rendered and the browser mediates (i.e. front-channel) a series of logout messages coordinated via iframes, javascript, and in some cases HTML5 storage. The result is a best-effort attempt to explicitly end each relying party session by sending a protocol-specific message to each service endpoint. In the IdP configuration, the SLO messaging process is called propagation.
If configured to do so, the IdP attempts to display prominent status information on the result of each attempt to end a relying party session; a red X for failure or a green checkbox for success. This is typically quite limited in accuracy, and many false positives or negatives should be expected. We do not in general recommend displaying this to users, but have not (yet) deprecated support for displaying it.
If the user chooses to end without SLO, logout-complete.vm is rendered and a message is displayed indicating that some relying party sessions may still be active.
By default, the IdP session is terminated regardless of the user's choice. In other words, the question asked is "propagate or not?" rather than "logout or not?". The idp.logout.promptUser property can be set to a Predicate bean that allows the user to make a cancel decision.
Configuration
The idp.session.trackSPSessions property must be enabled to support the SLO propagation feature (it is explicitly enabled by default for new installs but defaults to false).
If you want the displayed information about services to be customized by the use of SAML metadata (for things like service names and logos), you should also set the idp.logout.elaboration property to true.
In order for CAS protocol services to participate in SLO, the singleLogoutParticipant attribute must be set to true in the service definitions that identify the service:
CAS Registered Service Example
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="slo-services"
p:authorizedToProxy="false"
p:singleLogoutParticipant="true" />
In order for SAML services to participate in SLO, the SAML metadata supplied for them must contain appropriate <SingleLogoutService>
endpoints. If there are multiple endpoints that vary by location, the standard does not stipulate how an IdP is to determine which endpoint to use. The IdP will attempt to select the endpoint based on the best match possible between the logout endpoint and the original endpoint used to deliver the authentication response.
In addition, SPs vary in how they handle security, and SLO is in general vastly less interoeprable than SSO in SAML, so you should not expect uniform results. Shibboleth itself assumes that all logout messages are signed, and if you need to interoperate with SPs that don't sign their logout responses, you will need to set the idp.logout.authenticated to false.
UI Considerations
The look and feel of the logout process can be changed through modification of the view templates, message properties, etc.
Some deployers may choose to make SLO mandatory, which would require modifying the <head>
content of logout.vm and/or to override the default calculation of the conditional that wraps the $promptForIdP and $promptForSP variables in the template.
The UI in this version has a general model that presents the applicable subset of three options to the user:
Logout of the IdP only
Logout of the IdP and SPs where possible
Canceling the logout
The latter option can be enabled by setting the idp.logout.promptUser property to the name of a Predicate bean that evaluates to true under the desired conditions.
The SLO machinery is a fairly complex interaction between embedded iframes and javascript that drives and processes logout messages. That logic, due to its complex and fragile nature, is confined to a system view file.
The UI is also, to our understanding, not accessible and is apparently impossible to make accessible. Whether true or not, it definitely is not by default and no fixes for this have been provided. It is believed that hiding the propagation status reporting is accessible, and the idp.logout.propagationHidden property exists to hide this reporting from the user both for accessibility and because of the large number of false positives and negatives that are typically encountered.
Preserving Parameters
The design of the logout feature does not support returning control of the user agent to any other system via a "return" parameter or similar mechanism. While this remains officially unsupported, the idp.logout.preserveQuery property can be set to true to cause any parameters on the original request to be preserved and made accessible via a ScratchContext object underneath the ProfileRequestContext.
There are some issues to be cautious of with this approach:
Note that any kind of redirection strategy that is not constrained in some way will turn the IdP into an Open Redirector. The IdP does not provide any mitigation for that, which is why this is officially unsupported and not enabled by default.
Additionally, be aware that if you use the ScratchContext class for your own customizations, you should take care to avoid conflicts and probably avoid using the context directly under the ProfileRequestContext to avoid the risk of a query parameter overriding your own internal state being handled by the context.
Browser Support
The SLO feature requires a fair bit of mature Javascript support, but any browser that supports HTML5 LocalStorage should work (this use of LocalStorage is independent of the choice of storage service, and it applies even when server-side storage is used). While the SLO implementation is based on modern Web standards, browser features vary so greatly that it's hard to identify minimum browser requirements.
Troubleshooting
Because the logout propagation feature - as far as the front-channel support is concerned - uses Javascript, all communication with the SPs can be traced in the Web browser. To this end, both the SAML tracer (Firefox Plugin) and the Javascript console in most browsers' developer tools can be helpful in troubleshooting. Common errors can be:
The SP’s web server has set the X-Frame-Options to “sameorigin”, or similar CSP features, which will generally cause the SLO exchange to fail.
SAML Logout
SAML Logout is a more complex protocol than the simple variant described above, but the implementation is shared across the two approaches. There are really two "halves" to this:
Responding to requests from an SP
Propagating logout to an SP
This section is about the first case. The propagation step is covered in the previous section and is the same, regardless of how the logout is initiated.
SPs can request a logout using either front- or back-channel SAML bindings (typically HTTP-Redirect on the front, SOAP on the back). The IdP supports reception of either type of request, but use of SOAP obviously requires server-side session state. Propagation to SPs via SOAP when possible is supported more or less automatically, and happens either as part of back-channel processing or as a result of the usual front-channel iframe-based propagation.
Basic Configuration
The idp.session.secondaryServiceIndex property must be enabled to support SAML logout requests (it is explicitly enabled by default for new installs, but defaults to false).
Another consideration with SAML logout has to do with the length of time the system will "remember" the SP's session, in order to prevent the session cache from growing endlessly. This can't be done precisely because the IdP doesn't actually know how long the SP's own session might last. The idp.session.defaultSPlifetime and idp.session.slop properties control how long the IdP will "remember" an SP's session. Once elapsed, it's likely that a request for logout will fail from any SP that has expired from the cache.
Advanced Options
Even SPs that support requesting logout may not support receiving them, and many SPs may not care about responses to their requests. In such cases, it is advantageous to simple remove the <md:SingleLogoutService>
endpoints from their metadata. Unfortunately this fails due to the IdP's requirement to try and issue a response in most cases, and results in an error.
A property named idp.logout.assumeAsync (if true) allows requests to be treated as though they carried the <aslo:Asynchronous>
extension element, which tells the IdP that no response is needed. This allows the removal of endpoints from SP metadata to be an effective means of mitigating such problems with SPs by allowing inbound logout to the IdP while preventing outbound logout.
A bean is also exposed to allow message level encryption of <NameID>
values to be suppressed based on Format
. This is primarily suported to improve efficiency, given that many SPs rely on the urn:oasis:names:tc:SAML:2.0:nameid-format:transient
format, which isn't all that important to encrypt. A typical bean definition in conf/global.xml:
<util:set id="shibboleth.PlaintextNameIDFormats">
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.ENTITY" />
<util:constant static-field="org.opensaml.saml.saml2.core.NameIDType.TRANSIENT" />
</util:set
Administrative Logout
It is possible to log out sessions administratively. Right now this capability is confined to the IdP session (and that’s all that will ever be practical) and is implemented by means of revoking the authentication state of a subject. See AdministrativeLogoutConfiguration.
Reference