Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] SAML Single Logout not implemented #38494

Open
susenguyen opened this issue Aug 2, 2022 · 5 comments · May be fixed by #45379
Open

[RFE] SAML Single Logout not implemented #38494

susenguyen opened this issue Aug 2, 2022 · 5 comments · May be fixed by #45379
Assignees
@andreas-kupries
Labels
area/authentication JIRA To be used in correspondence with the internal ticketing system. kind/bug Issues that are defects reported by users or that we know have reached a real release kind/enhancement Issues that improve or augment existing functionality priority/0 team/collie the team that is responsible for auth and rbac within rancher
Milestone
v2.9-Next1

Comments

@susenguyen
Copy link

Rancher Server Setup

  • Rancher version: 2.6.6
  • Installation option Helm chart
    • RKE2 & RKE

Information about the Cluster

  • Kubernetes version: 1.23.7
  • Cluster Type Local

Describe the bug
When integrating Rancher 2.6.6 with a SAML provider (we tried with Keycloak and Shibboleth), after a logout, if the user presses F5, he/she gets to login again without providing his/her credentials.

To Reproduce

  • Login
  • Logout
  • Hit

Result
The user logs in again without providing credentials

Expected Result
Rancher should ask for your credentials

Additional context
Looking at the code (in pkg/auth/providers/saml), we are missing a single logout handler.
https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline
@susenguyen susenguyen added the kind/bug Issues that are defects reported by users or that we know have reached a real release label Aug 2, 2022
@samjustus samjustus added area/authentication team/collie the team that is responsible for auth and rbac within rancher labels Mar 25, 2024
@samjustus samjustus added this to the v2.9-Next1 milestone Mar 25, 2024
@samjustus samjustus added the JIRA To be used in correspondence with the internal ticketing system. label Mar 25, 2024
@samjustus
Copy link
Collaborator

SURE-3572

@samjustus samjustus added kind/enhancement Issues that improve or augment existing functionality priority/0 labels Mar 26, 2024
@andreas-kupries
Copy link

Research Status

Rancher processes UI logout requests in pkg/auth/tokens.

The existing code removes the relevant cookies from the browser and deletes the Rancher Token
resource associated with the current user.

This part has to be expanded to perform the SAML logout as well.

It is not possible to directly call into the pkg/auth/providers packages, as these use the tokens
package themselves, leading to an import loop.

This can be solved by extending the tokens package with a global callback invoked during logout
processing, if set.

Setting the callback to a suitable function during auth provider setup means that this function has
access to the auth/provider functionality while hiding this fact from the token manager.

The logout workflow is like the SSO a back and forth between the various components, i.e. Rancher,
IdP, and Browser.

It was attempted to avoid the latter by directly fetching the logout redirect url from within
Rancher.

This failed with KeyCloak (the IdP used for testing) returning an unknown error. The KC log
indicated a missing KEYCLOAK_IDENTITY cookie. I.e. this was likely an auth failure before auth could
even be checked. Inspection of the browser cookie management found such a cookie for the local KC
instance.

And with a proper redirect through the browser this kind of cookie should then be picked up and
properly auth the request.

Today this was tried, i.e. the code for the callback rewritten to have access to the initial logout
request and pending response structures and initiating a redirect in the response.

This also failed, to the point that KC did not even record any logout request, something which
happened for the direct fetch trialed before.

At this point I suspect that the Rancher UI fails to properly handle the redirect request we
return. It seems to ignore the result from its own logout request and simply continue on to showing
the main Rancher login and welcome form.

If that is true it means that the extended logout will require UI changes too.

Although it is not known to me yet where such changes have to happen.

This requires research into the UI code.

@samjustus
Copy link
Collaborator

@gaktive can we get someone from your team to assist on Andreas research here?

@richard-cox
Copy link
Member

I've added a comments to the JIRA issue. We might need to step back and plan this a bit more

@samjustus samjustus changed the title SAML Single Logout not implemented [RFE] SAML Single Logout not implemented Apr 9, 2024
@gaktive
Copy link
Member

gaktive commented May 3, 2024

Related UI ticket: rancher/dashboard#10941

@andreas-kupries andreas-kupries linked a pull request May 6, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andreas-kupries andreas-kupries

Labels
area/authentication JIRA To be used in correspondence with the internal ticketing system. kind/bug Issues that are defects reported by users or that we know have reached a real release kind/enhancement Issues that improve or augment existing functionality priority/0 team/collie the team that is responsible for auth and rbac within rancher
Projects
None yet
Milestone
v2.9-Next1
Development

Successfully merging a pull request may close this issue.

SAML SLO support andreas-kupries/rancher
5 participants
@andreas-kupries @gaktive @richard-cox @susenguyen @samjustus