SATOSA icon indicating copy to clipboard operation
SATOSA copied to clipboard
verified publisher icon IdentityPython

[Feature Request] Single LogOut

Open peppelinux opened this issue 7 years ago • 5 comments

Is there any possibility to implement, in the SAML2 backend and frontend plugins, the SLO endpoint?

peppelinux avatar Apr 10 '19 16:04 peppelinux

If I configure in my SATOSA frontend

  endpoints:
    # to be implemented
    single_logout_service:
        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'slo/post'

On SLO request by the SP I get 'Error: not a authn request`

If an IdP (auth target) do not handle properly 'forceAuthn = true` it should hopefully implement at least SLO.

I think that SLO should be considered usefull for security reasons in our context. Could we develop it?

peppelinux avatar Sep 23 '19 14:09 peppelinux

In satosa.frontends.saml2._register_endpoints I read that every endpoint is registered as handle_authn_request.

    def _register_endpoints(self, providers):
        """
        Register methods to endpoints
        :type providers: list[str]
        :rtype: list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]
        :param providers: A list of backend providers
        :return: A list of endpoint/method pairs
        """
        url_map = []

        for endp_category in self.endpoints:
            for binding, endp in self.endpoints[endp_category].items():
                valid_providers = ""
                for provider in providers:
                    valid_providers = "{}|^{}".format(valid_providers, provider)
                valid_providers = valid_providers.lstrip("|")
                parsed_endp = urlparse(endp)
                url_map.append(("(%s)/%s$" % (valid_providers, parsed_endp.path),
                                functools.partial(self.handle_authn_request, binding_in=binding)))

peppelinux avatar Oct 11 '19 08:10 peppelinux

+1 to developing this. I was asked by my federation operator to provide a single logout endpoint, which I'm unable to do atm (unless I've misunderstood).

hannahshort avatar Sep 02 '20 13:09 hannahshort

Correct me if I'm wrong, the cookie in satosa expires in a soon. This parameter is configurable but probably not infinite, as a cookie released by a IdP could be (not expiring cookie). Missing it in the frontend (IDP) it won't link the SLO request to any active sessions (context) so it won't know to which IdP ask to, by which backend, regarding which preivous authenticated saml session. This is an aspect that can be handled in a way or in another but, i think, that's my first impression about this problem.

Force authn to True give us a real workaround to this, because each session won't rely on the previous state. Even more going out from SAML2 field would be more complex. Probably its first implementation would be done only for a pure SAML2 backend/fronted. just few cents, mostly ideas at first sight

peppelinux avatar Sep 02 '20 15:09 peppelinux