dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon rancher

Support SAML Single Logout (SLO)

Open richard-cox opened this issue 1 year ago • 2 comments

SURE-3572

  • Users currently only log out from local auth, or in the case of SSO external auth providers just clear local content and direct the user back to log in page... they are not signed out of the external auth provider.
  • Some customers have requested that Logging out of rancher should also log them out of the external auth provider
  • This only makes sense for some auth providers, and in a limited way
  • Linked SURE details how this should work, but briefly
    • Should be configurable (admins can enable / disable)
    • Can be optional (admins can choose to force it, or allow both types of logout)

richard-cox avatar May 03 '24 13:05 richard-cox

Info from the referenced PR:

  1. Extended AuthConfig, SamlConfig with the proposed flags about SLO (supported, enabled, forced). 1. Based on the CRD setup the supported flag might be nonsense. 2. As in, cannot be set into the initial AuthConfig CR instances. UI may have to simply know that only the SAML providers support SLO, and none of the others.
  2. New structures SamlConfigLogoutInput, and ...Output. Same fields as the known SamlConfigTest... structures. Hold the request/response data from/to the UI for the logoutAll action (see below).
  3. The tokens API should export a new action logoutAll.
  4. Basic implemention of the logout flow. Compiles, untested.
  5. Linkage between token manager and saml to invoke the flow from the frontend

KNOWN ISSUES: Does not guard against call of regular logout when SLO is forced. Does guard against forced but not enabled, and call to logout-all when not enabled.

I hope that is enough to get UI work somewhat started, even without a Rancher image containing this.

andreas-kupries avatar May 06 '24 13:05 andreas-kupries

FYI we do not have logout tests with credentials

cnotv avatar May 15 '24 15:05 cnotv

@richard-cox with what else is on your 2.9.0 plate, is this something that @aalves08 can pick up?

gaktive avatar May 31 '24 15:05 gaktive

Happy to hand over and offer guidance if needed

richard-cox avatar Jun 03 '24 08:06 richard-cox

@rancher/docs the documentation for rancher manager will need updating in regards to how they should configure the Single Logout on each of the SAML providers. Ex: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml

Final UX will be coming soon (PR https://github.com/rancher/dashboard/pull/11182 is still WIP)

aalves08 avatar Jun 07 '24 10:06 aalves08

Hello @aalves08, I have created a docs issue for this and any docs related questions or comments can be directed there. Thank you!

sunilarjun avatar Jun 07 '24 15:06 sunilarjun

@gaktive I've moved this to backend blocked given an issue we see with Okta.

@andreas-kupries has confirmed his backend changes and our frontend changes work with Keycloack SAML however there's an issue he's following up with when using okta. In theory we could merge our side however it would be good to validate changes in okta and a bit of dev testing ourside as well

richard-cox avatar Jun 21 '24 16:06 richard-cox

Backend won't be able to complete this in time for 2.9.0 so pushing to 2.10.0

gaktive avatar Jun 27 '24 18:06 gaktive

Backend is now done - we need to test/validate these UI changes with the new backend.

nwmac avatar Aug 20 '24 12:08 nwmac

Testing complete in:

  • Rancher v2.10-e615207c8cd924c092b55a9301e7378878706d19-head
  • Dashboard master 78df731

Conducted tests with Okta and Ping (saml) auth providers

Auth Provider User Test Case Result
Okta Admin Regular logout flow
Okta Admin SLO: Logout of Rancher and NOT auth provider
Okta Admin SLO: Logout of Rancher and auth provider
Okta Admin SLO: Allow user to choose which to logout from
Okta Standard SLO: Logout of Rancher and NOT auth provider
Okta Standard SLO: Logout of Rancher and auth provider
Okta Standard SLO: Allow user to choose which to logout from
Okta Admin/Standard SLO: Correct login page message displays per log-out method
Ping Admin SLO: Logout of Rancher and NOT auth provider
Ping Admin SLO: Logout of Rancher and auth provider
Ping Admin SLO: Allow user to choose which to logout from
Ping Standard SLO: Logout of Rancher and NOT auth provider
Ping Standard SLO: Logout of Rancher and auth provider
Ping Standard SLO: Allow user to choose which to logout from
Ping Admin/Standard SLO: Correct login page message displays per log-out method
-- Admin/Standard Regular logout flow

yonasberhe23 avatar Oct 30 '24 18:10 yonasberhe23