+ - 0:00:00
Notes for current slide
Notes for next slide

There are new sessions opened everywhere!

SAML Single Logout

with the Shibboleth IdPv3

Etienne Dysli-Metref
etienne.dysli-metref@switch.ch

1

Sessions, sessions, sessions!

  • IdP session
  • SP1 session
  • application1 session
  • SP2 session
  • application2 session
  • etc.
2

There are new sessions opened everywhere!

SLO is harder than SSO

  • Single: terminate all sessions in one operation
  • Does it make sense for the user?
  • What happens when only one session is terminated?
  • How do you cleanly terminate all those sessions?
3
  • Single logout designed to end all sessions in only one operation
  • Did the user really mean to log out of everything?
4

Nowadays, closing the browser is not enough to clear session cookies (Firefox session restore).

Availability with Shibboleth

  • Already implemented in SP (simplified configuration since 2.4)
  • SP can notify protected application
  • Available since IdP 3.2.0, with some bugs in logout flow and view: IDP-956, IDP-924
  • Works on IdP 3.2.1 with those fixes applied
  • Bindings: front-channel (HTTP-Redirect, HTTP-POST) and back-channel (SOAP)
  • Back-channel propagation not yet available on IdP, but planned for 3.3
  • Administrative logout not supported
5

Maybe at some point there will be a GUI in the IdP for administrative logout.

Implementation in IdPv3

IdP- and SP-initiated logout sequences

Logout views

Configuration overview

Configuration details

Fixes for IdP 3.2.0 and 3.2.1

6

Not showing configuration details but they are here for reference.

IdP-initiated (proprietary) logout

  1. HTTP GET on /idp/profile/Logout with session cookie
  2. End IdP session
  3. Log out of other services? If yes, proceed
  4. Propagate logout to accessed SPs
  5. Display result (flow always ends at IdP)
7

SP-initiated (SAML) logout

  1. HTTP GET on /Shibboleth.sso/Logout
  2. (if notify) Redirect to application logout notification endpoint
  3. (if notify) Redirect to /Shibboleth.sso/Logout
  4. Redirect to IdP with SAML LogoutRequest
  5. Same as IdP-initiated logout (flow always ends at IdP)
8

IdPv3 logout views (1)

logout question

9

IdPv3 logout views (2)

logout status

  • Shows list of SPs with logout status
  • One hidden iframe per SP each sends one SAML logout request
  • Uses jQuery
10
  • Requires a modern browser to work (must support HTML5 LocalStorage)
  • jQuery becomes a new dependency for the IdP

IdPv3 logout views (3)

logout complete

  • No propagation question when the only SP in the session sends the logout request
11

Configuration overview

  1. Enable SLO on your IdP (properties)
  2. Publish IdP SLO endpoints in metadata (Resource Registry)
  3. Enable SLO on your SP
  4. If your SP-protected application has its own sessions:
    • Enable application notifications on your SP
    • Program your application to respond to logout notifications
  5. Publish SP SLO endpoints in metadata (Resource Registry)
  6. Test!
12

Configuration: IdP properties

Required to enable SLO

  • Track SPs logged into idp.session.trackSPSessions = true [false]
  • Enable receiving SAML logout requests from SPs idp.session.secondaryServiceIndex = true [false]

Reference: LogoutConfiguration

13

Configuration: IdP properties

Optional tweaks

  • Display SP information from metadata idp.logout.elaboration = true [false]
  • How long does the IdP remember SPs? It cannot know the real SP session duration!
    idp.session.defaultSPlifetime = PT2H [PT2H]
    idp.session.slop = PT0S [PT0S]
  • Require logout requests/responses be signed/authenticated, better leave it enabled idp.logout.authenticated = true [true]
14

Configuration: IdP SLO endpoints

Publish SingleLogoutService endpoints in metadata

IdP SLO endpoints

15

Configuration: SP logout service

Add “SAML2” inside the Logout element (in shibboleth2.xml)

<Logout>SAML2 Local</Logout>

Reference: NativeSPServiceLogout

16

Configuration: SP logout notifications

Add a Notify element (in shibboleth2.xml)

<Notify Channel="front"
Location="https://sp.example.org/app/logout-notify"/>

and program your application to respond at the given URL

References: NativeSPNotify, SLOWebappAdaptation

17

Configuration: SP SLO endpoints

Publish SingleLogoutService endpoints in metadata

SP SLO endpoints

18

Fixes for IdP 3.2.0 and 3.2.1 (1)

--- system/flows/logout/logout-flow.xml 2016/01/20 19:57:55 8080
+++ system/flows/logout/logout-flow.xml 2016/04/01 14:23:58 8190
@@ -73,7 +73,7 @@
<view-state id="LogoutView" view="logout">
- <on-entry>
+ <on-render>
<evaluate expression="WriteAuditLog" />
<evaluate expression="environment" result="viewScope.environment" />
<evaluate expression="opensamlProfileRequestContext" result="viewScope.profileRequestContext" />
@3,7 +83,7 @@
<evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="viewScope.request" />
<evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="viewScope.response" />
<evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="viewScope.custom" />
- </on-entry>
+ </on-render>
<transition on="proceed" to="LogoutCompleteView" />
<transition on="end" to="LogoutCompleteView" />
<transition on="propagate" to="LogoutPropagateView" />

original diff from svn.shibboleth.net

19

Fixes for IdP 3.2.0 and 3.2.1 (2)

--- system/flows/logout/propagation/cas-flow.xml 2015/10/14 15:50:01 7822
+++ system/flows/logout/propagation/cas-flow.xml 2016/04/01 14:23:58 8190
@@ -3,12 +3,12 @@
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd">
<view-state id="ShowServiceLogoutView" view="cas/logoutService">
- <on-entry>
+ <on-render>
<set name="viewScope.logoutPropCtx"
value="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.session.context.LogoutPropagationContext))" />
<set name="viewScope.messageID" value="T(java.util.UUID).randomUUID()" />
<set name="viewScope.issueInstant" value="DateFormatter.print(T(org.joda.time.DateTime).now())" />
- </on-entry>
+ </on-render>
<transition on="proceed" to="proceed" />
</view-state>

original diff from svn.shibboleth.net

20

Fixes for IdP 3.2.0 and 3.2.1 (3)

--- views/logout.vm 2016/01/05 12:57:59 8067
+++ views/logout.vm 2016/02/18 17:39:36 8095
@@ -65,10 +65,8 @@
</ol>
#else
<p><strong>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</strong></p>
-<!-- If SAML logout with no extra work to do, complete the flow by adding a hidden iframe. -->
-#if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
-<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed">
-#end
+<!-- Complete the flow by adding a hidden iframe. -->
+<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
#end
</div>

original diff from svn.shibboleth.net

21

Fixes for IdP 3.2.0 and 3.2.1 (4)

--- views/logout-complete.vm 2015/10/28 16:17:35 7896
+++ views/logout-complete.vm 2016/02/18 17:39:36 8095
@@ -44,7 +44,7 @@
<!-- If SAML logout, complete the flow by adding a hidden iframe. -->
#if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
-<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed">
+<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
#end
<footer>

original diff from svn.shibboleth.net

22

Fixes for IdP 3.2.0 and 3.2.1 (5)

--- system/views/logout/propagate.vm 2015/11/06 20:22:32 7958
+++ system/views/logout/propagate.vm 2016/02/18 17:39:36 8095
@@ -99,5 +99,5 @@
<!-- If SAML logout, complete the flow by adding a hidden iframe. -->
#if ( $profileRequestContext.getProfileId().contains("saml2/logout") )
-<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed">
+<iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
#end

original diff from svn.shibboleth.net

23

Sessions, sessions, sessions!

  • IdP session
  • SP1 session
  • application1 session
  • SP2 session
  • application2 session
  • etc.
2

There are new sessions opened everywhere!

Paused

Help

Keyboard shortcuts

, , Pg Up, k Go to previous slide
, , Pg Dn, Space, j Go to next slide
Home Go to first slide
End Go to last slide
b / m / f Toggle blackout / mirrored / fullscreen mode
c Clone slideshow
p Toggle presenter mode
t Restart the presentation timer
?, h Toggle this help
Esc Back to slideshow