Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML SLO support #45379

Open
wants to merge 5 commits into
base: release/v2.9
Choose a base branch
from
Open

SAML SLO support #45379

wants to merge 5 commits into from

Conversation

andreas-kupries
Copy link

@andreas-kupries andreas-kupries commented May 6, 2024
edited

Issue:

Fix #38494

This work is co-dependent on the UI work tracked at rancher/dashboard#10941

Problem

SURE 3572

Solution

PR holds work checkpoints at the moment. Not in a merge-able state.

  1. Extended AuthConfig, SamlConfig with the proposed flags about SLO (supported, enabled, forced).
    1. Based on the CRD setup the supported flag might be nonsense.
    2. As in, cannot be set into the initial AuthConfig CR instances. UI may have to simply know that only the SAML providers support SLO, and none of the others.
  2. New structures SamlConfigLogoutInput, and ...Output. Same fields as the known SamlConfigTest... structures. Hold the request/response data from/to the UI for the logoutAll action (see below).
  3. The tokens API should export a new action logoutAll.
  4. Basic implemention of the logout flow. Compiles, untested.
  5. Linkage between token manager and saml to invoke the flow from the frontend

KNOWN ISSUES: Does not guard against call of regular logout when SLO is forced.
Does guard against forced but not enabled, and call to logout-all when not enabled.

Testing

Engineering Testing

Manual Testing

Automated Testing

  • Test types added/modified:
    • Unit
    • Integration (Go Framework)
    • Integration (v2prov Framework)
    • Validation (Go Framework)
    • Other - Explain: EXPLAIN
    • None
    • REMOVE NOT APPLICABLE BULLET POINTS ABOVE
  • If "None" - Reason: EXPLAIN THE REASON
  • If "None" - GH Issue/PR: LINK TO GH ISSUE/PR TO ADD TESTS

Summary: TODO

QA Testing Considerations

Regressions Considerations

TODO

Existing / newly added automated tests that provide evidence there are no regressions:

  • TODO

@andreas-kupries andreas-kupries changed the title Sure 3572 saml single logout Sure 3572 SAML SLO May 6, 2024
@andreas-kupries andreas-kupries changed the title Sure 3572 SAML SLO SAML SLO support May 6, 2024
@andreas-kupries andreas-kupries self-assigned this May 6, 2024
@andreas-kupries
extended auth provider types with flags for logout all support, i.e. …
b41ff4f 
…supported, enabled, forced.

added structures for logout request and response.
regenerated code and yaml

side work: documented nature of InitializeSamlServiceProvider
@andreas-kupries
feat: global logout interceptor callback
e654858
@andreas-kupries
log handling in saml, compiles, untested
ea461cb
@andreas-kupries
link saml logout handler/backend with token manager frontend, via the…
2d218c6 
… interceptor callback
@andreas-kupries andreas-kupries force-pushed the ak-38494-sure-3572-saml-single-logout branch from 6788bc7 to 2d218c6 Compare May 6, 2024 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@andreas-kupries andreas-kupries

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[RFE] SAML Single Logout not implemented
1 participant
@andreas-kupries