Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly handle <LogoutResponse> messages for the SAML Realm #40901

Closed
jkakavas opened this issue Apr 5, 2019 · 4 comments
Closed

Correctly handle <LogoutResponse> messages for the SAML Realm #40901

jkakavas opened this issue Apr 5, 2019 · 4 comments
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@jkakavas
Copy link
Member

jkakavas commented Apr 5, 2019

According to section 3.7.3.2 of SAML Core spec :

If the session authority successfully terminates the principal's session with respect to itself, then it MUST respond to the original requester, if any, with a message containing a top-level status code of urn:oasis:names:tc:SAML:2.0:status:Success. If it cannot do so, then it MUST respond with a message containing a top-level status code indicating the error

The SAML IDP can (should but usually doesn't) respond to a <logoutRequest> message with a <LogoutResponse> message indicating a successful logout. We don't currently handle this case, and we should
@jkakavas jkakavas added >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Apr 5, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@tvernum
Copy link
Contributor

tvernum commented Apr 6, 2019

What should Elasticsearch do with these responses?
I had always assumed that Kibana would be accepting them at the Logout service as a no-op. Is there a reason for it to be passed to ES other than the convenience of Kibana not having to parse the SAML parameter?

@jkakavas
Copy link
Member Author

jkakavas commented Apr 8, 2019

What should Elasticsearch do with these responses?

We could no-op (return a 200 response and a redirect value of /), and Kibana could redirect the user to the "Successfully logged out" page. Other clients could handle this response as they see fit.

I had always assumed that Kibana would be accepting them at the Logout service as a no-op.

I think this is mostly by accident now and not by design. IIUC, Kibana will return DeauthenticationResult.notHandled() since the LogoutResponse will reach its /logout endpoint but there will not be any tokens to invalidate.

Is there a reason for it to be passed to ES other than the convenience of Kibana not having to parse the SAML parameter?

There are a couple of reasons why we should handle this I think:

  • We offer an API to be used for performing SAML authentication and we handle all other SAML messages from an IDP, I don't see a particular reason for this one to be an exception.
  • We handle all the decoding, parsing, verifying of SAML messages on the ES side, it is only logical we should also decode and parse Logout responses and not delegate this to the client.

@tvernum tvernum mentioned this issue Jun 17, 2019
Open
@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
@ywangd ywangd mentioned this issue May 7, 2020
Merged
@legrego legrego mentioned this issue Jun 23, 2020
Merged
@ywangd
Copy link
Member

ywangd commented Feb 16, 2022

This is implemented in #56316

@ywangd ywangd closed this as completed Feb 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rjernst @tvernum @ywangd @jkakavas @elasticmachine