Support HTTP-POST binding for SAML logout

[tvernum]

At the moment we only support the HTTP-Redirect binding for Logout (and HTTP-POST for Authentication).

This is because it is the recommendation in the SAML 2 Interoperability Profile that SPs and IdP use HTTP-Redirect for logout. An early (unreleased) implementation of our logout code used POST because we already had the signature checking code for POST, but we switched to Redirect to conform with the interop profile.

However, we've started to see one popular IdP send LogoutResponse messages using the HTTP-POST binding, and we already have most of the necessary code for handing HTTP-POST so we probably can support it in addition to the (preferred) HTTP-Redirect binding.

Note: This will require a change in Kibana as well, because the Kibana /logout route currently only supports GET .

Relates: #40901

[elasticmachine]

Pinging @elastic/es-security

[panwarab]

can I have a look into it @tvernum ?

[tvernum]

@abhiroj If you know something about SAML and have an environment to test in, then that would be great.
The hard work on this issue will be making sure it is compliant with the spec, and works with major SAML IdPs. The actual development work is fairly straight forward.

[panwarab]

sure, I can get started on it with setting up of a test env. can you point to some reference docs for that?

[tvernum]

can you point to some reference docs for that

Sorry, No. For elasticsearch in general there is a contributing guide that covers running tests, but we don't have any docs that explain how to test SAML with a real Identity Provider.
If you don't already have a working SAML environment to test in, then I wouldn't recommend working on this issue.

Something with the Good First Issue label might be a better option to get started with.

[ywangd]

This issue is very much related to #40901. When Kibana recieves the POST request from the idP (with browser as the mediating agent), elasticsearch has already logged user out of the system, i.e. tokens are invalidated. That is, in terms of workflow, both the HTTP-Redirect and the HTTP-POST requests come into play at exactly the same position.

For HTTP-Redirect, Kibana simply ignores it. So as a minimal effort, the HTTP-POST binding can be supported in the same way, i.e. just add a POST route to logout for Kibana and ignore the incoming request.

IIUC, handling the LogoutResponse from the idP makes it possible to achieve chaining logout from other SPs, e.g. another Kibana instance that is using the same SAML session. This could be a valid use case. (edit: This is incorrect. The LogoutResponse is sent back to the initiating SP at the end of single logout. The cascading (front-channel) single logout is realised with a series of LogoutRequest sent from the idP, which I think we already support via the /_security/saml/invalidate API.)

In summary, this issue by itself can be fixed trivially. A more involved fix on the elasticsearch side can be leverage for both this issue and #40901.

[ywangd]

There was a mistake in #56316's description. It didn't close this. Reopenning.