Reputation: 3704
In SAML, what are the actions that need to be performed in the client and service provider to logout?
I have gotten SAML Login working in a Go program using crewjam/samlwith a Keycloak IDP in SAML mode (I believe this is using SAMLv2 but not positive). The basics are that upon a good login, the IDP send the program the user's SAML attributes, the Go SAML Library translates this to a JWT and sets it as the HTTP Cookie. At this point the IDP marks that the user has a session with the Service and the user can access the API via the JWT.
The problem I am having is that I am unclear how to Logout. The library has a URL for logging out:
// SloURL is the full URL to the SAML Single Logout endpoint on this host.
// i.e. https://example.com/saml/slo
SloURL url.URL
But navigating to this page just returns a 404.
So how do I tell the IDP that the user's session is done? Should I remove the JWT cookie myself or will this be handled?
Upvotes: 0
Views: 1477
Answers (3)
Reputation: 3704
The following appears to accomplish what I asked for:
type Logout struct {
SP *samlsp.Middleware
}
func (l *Logout) ServeHTTP(w http.ResponseWriter, r *http.Request) {
//Get the JWT information
session, err := l.SP.Session.GetSession(r)
if err != nil {
WebErrorWarn("error get signouturl session: "+err.Error(), http.StatusForbidden, w)
return
}
//Get the JWT information part 2
attr := session.(samlsp.JWTSessionClaims)
if err != nil {
WebErrorWarn("error get signouturl session claims: "+err.Error(), http.StatusForbidden, w)
return
}
//use this as the name for the logout request
url, err := l.SP.ServiceProvider.MakeRedirectLogoutRequest(attr.Subject, "")
if err != nil {
WebErrorWarn("error get signouturl: "+err.Error(), http.StatusInternalServerError, w)
return
}
//delete the session token from teh browser
err = l.SP.Session.DeleteSession(w, r)
if err != nil {
WebErrorWarn("error get signouturl: "+err.Error(), http.StatusInternalServerError, w)
return
}
//redirect to the IDP Single log out URLwith the SAMLRequests for logout embedded
http.Redirect(w, r, url.String(), http.StatusFound)
}
I make my own logout URL to serve this on
http.Handle("/logout", samlSP.RequireAccount(&Logout{samlSP}))
Finally the IDP redirect the client back to the SLO URL, it is sent in the metadata file and also defaults to /saml/slo in crewjam/gosaml. I just have a handler on that URL to give the user a confirmation that they are no longer signed in.
http.Handle("/saml/slo", &SLOHandle{})
Note the /saml/slo URL should not be SAML protected otherwise you will trigger SAML login all over again.
Upvotes: 2
Reputation: 4620
The Single Logout Service (SLO) URL is in the IdP metadata, e.g.
<EntityDescriptor ... entityID="https://idp.com/shibboleth">
<IDPSSODescriptor ... >
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.com/idp/profile/SAML2/POST/SLO"/>
</IDPSSODescriptor>
</EntityDescriptor>
you then construct a logout request to send to the SLO for the NameID that was previously sent by the IdP (with the entityID https://idp.com/shibboleth) when that user logged in:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination="https://idp.com/idp/profile/SAML2/POST/SLO">
<saml:Issuer>https://idp.com/shibboleth</saml:Issuer>
<saml:NameID SPNameQualifier="https://idp.com/shibboleth" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>
</samlp:LogoutRequest>
and receive the logout response:
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6c3737282f007720e736f0f4028feed8cb9b40291c" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d">
<saml:Issuer>https://idp.com/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
</samlp:LogoutResponse>
Upvotes: 1
Reputation: 56
Send logout SAML request to http://{url}:{port}/auth/realms/{realm}/protocol/saml
Upvotes: 0
Related Questions
- How to Implement SAML Single Logout request from a microservice
- OneLogin SAML logout functionality
- How to implement Logout in a JWT based Single Sign On authentication architecture?
- When user signs out from SAML Service provider, it does not logs out user from the Salesforce Identity provider
- Construct a signed SAML2 LogOut request
- How to logout from shibboleth
- spring saml: How is LOGOUT handled? Is it mandatory to have logout endpoint in IDP metadata xml?
- SAML 2.0 LogoutRequest
- What is the proper way for a user to log out from simpleSAMLphp?
- Session termination in single logout using SAML