teleport icon indicating copy to clipboard operation
teleport copied to clipboard
verified publisher icon gravitational

Refactor SAML IdP Sessions - Follow up

Open Joerger opened this issue 1 year ago • 1 comments

Follow up to https://github.com/gravitational/teleport.e/pull/4112

Joerger avatar May 20 '24 19:05 Joerger

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

github-actions[bot] avatar May 20 '24 19:05 github-actions[bot]

I am not sure if we should deprecate these methods. I recon that currently we no longer maintain a SAML session since https://github.com/gravitational/teleport.e/pull/4112 but a separate SAML session is required in order to support Single Logout functionality, which is not currently implemented in Teleport.

For context of Single Logout (SLO): In a typical SAML auth flow, after successful auth, a session ID and session index is generated. The session ID and session index is used to maintain user session in the IdP whereas the session index is also sent over to the service provider in SAML assertion. During SP initiated SLO, service provider sends this session index, which IdP will use to query user's session in the IdP and delete session accordingly.

SAML session ID was arguably not useful in Teleport's case as we used Teleport websession as a canonical session identifier for verifying session. But should we support SLO in future (we probably will as it is expected of a standard IdP), we will need to maintain SAML session with session index, which ties Teleport websession with service provider session, and all these methods will be probably needed again, also partially bringing back SAML session logic that were removed in https://github.com/gravitational/teleport.e/pull/4112.

P.S I am not the original author but I could be sure it was implemented for a similar reason.

cc @r0mant

flyinghermit avatar Jun 05 '24 21:06 flyinghermit

Since I do not see myself working on the single logout anytime soon, I think it is a good thing to remove these dead codes from release branches. I have been bitten by being reluctant to backport e PR https://github.com/gravitational/teleport.e/pull/4112 to release branches, making both the SAML IdP session behavior and codebase different in active release branches.

Let's remove these methods as well, I will re-add them when needed.

flyinghermit avatar Aug 16 '24 03:08 flyinghermit

@Joerger See the table below for backport results.

Branch Result
branch/v14 Failed
branch/v15 Failed
branch/v16 Failed

public-teleport-github-review-bot[bot] avatar Aug 17 '24 18:08 public-teleport-github-review-bot[bot]