-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAML SLO support #45379
SAML SLO support #45379
Conversation
6788bc7
to
2d218c6
Compare
4f7f7a6
to
cbb7eda
Compare
Status report after a few days of working on implementing the thing: The main visualization of the necessary workflow is taken from The main take I get from both is that the SP who initiated the SLO is not notified by the IdP that the user was logged out. Okta seems to follow that principle, based on what I experienced with it today. I.e. I see a plain POST to Rancher's That is weird because the signature on the logout request should be generated through the same code as for SSO, and use the same cert/key, and SSO is, well, successful. Given my Also, Keycloak looks to be ok with the signature of the request, its issue looks to be somewhere else. So, going back to KC, which I struggled with before trialing Okta today it seems that this IdP wants to notify the initiating SP also, possibly directly from itself. The initial failures I saw with it said It should be noted that the XXX endpoint is generally needed, namely to handle IdP initiated logouts, i.e. when Rancher and other apps share the IdP and users, and a user in the other apps performs a SLO. Thus, if I can implement this endpoint properly then it should be possible to use KC completely. In terms of the flow image at the beginning, for KC I am stuck in implementing the steps 3/4, This is the state of the work as of commit 582687e. Thanks to @aalves08 for providing access to a remote Okta IdP to work with. |
582687e
to
11ba86a
Compare
@andreas-kupries At some point next week could you provide an linux/amd64 image of the changes in this PR? I'll be taking over from Alex whilst he's away and noticed he was using arm64 |
Managed a full logout with KC now. That said, after that the UI does a number of things I was unable to track, and then landed on
in the end. In other words, there may still be something more to do UI side. Side note: I have to keep the haering SAML package. The logout response is deflate-compressed. haering handles that ok. crewjam does not try to decompress, tries to read the compressed string as XML and then fails with a bad utf-8 error. |
adc8666
to
9559ede
Compare
Status report: SLO works for Keycloak and OKTA now.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
General comment. There seems to be quite a number of debug logs. Our debug logs overall in Rancher are super dense.
The answer may be, "yes", and that is fine, but have you considered removing any of these that might produce lots of output that isn't very high-value?
1eced75
to
2a3bf9b
Compare
I tend towards higher amount of logging by default.
Weeded a bit, result is in commit [2a3bf9b] |
d96fb79
to
720a90b
Compare
for posterity: security needs to finish pentesting before we can merge |
76abf31
to
1494d1b
Compare
The security review has completed as ok and closed. This is deferred until 2.10 is open, i.e. 2.9 is released. |
78b71d6
to
ba44227
Compare
2081bdb
to
b9addbc
Compare
60560ae
to
52e39cb
Compare
Relevant flaky test: #42248 |
…supported, enabled, forced. added structures for logout request and response. regenerated code and yaml side work: documented nature of InitializeSamlServiceProvider global logout interceptor callback linked saml logout handler/backend with token manager frontend, via the interceptor callback added guards against UI misbehaviour register the new structures with the norman frame work to enable serialization to and from json added handling of SLO responses. inject slo support flag into the initial authconfigs fix: extended flow state storage with ability to set the cookie path. hardwired acs path is no good when redirecting to the slo endpoint. set proper cookie paths wherever we have state setup added request signing - applies only to logout requests (i.e. auth requests are not signed, as before) (because we apparently use the redirect binding despite the code saying POST) chore: log cleanup, removed some, made some official fix: comment typo in go.mod redirected crewjam/saml to our rancher/saml for decompression fix. fix: missing/different generated files fix KC logout issues with local crewjam patch. fix missing handling of detached signatures on responses import crewjam fix providing proper detached sig on logout requests. KC still ok. OKTA still fails, but different - issuer mismatch, not invalid sig address comment, drop todo note, crewjam/saml is forked, and fork used address comment - reduce saml logging Apply suggestions from code review Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> address comments Apply suggestions from code review Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> fixup of partial change for principled extension of redirect url with error information old code still needed for bad case (unparseable url) implemented todo: Assert "action == logout" && !sloForced, guard against UI misbehaviour. IOW, the UI will get an error now if it tries to perform a regular logout while the provider is configured for forced SLO, i.e. logout all as the only allowed method.
…Sprintf does not support error-wrapping directive %w`
341f6de
to
3f0c1b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with this change, and I've been able to test it against Keycloak (with Backchannel logout URL).
But there is some tidying that could be done to make it easier for the next person to work on this?
ValidationRoot CauseA change request to support logging a User out of the session held by the configured external auth provider (EAP), and thus out of all applications, instead of just out of Rancher itself. This last meant that when logging back into Rancher the still-open session in the EAP allowed for quick login, without having to run through full authentication again. Confusing several users which expected to fully re-authenticate. Despite the notification on regular logout that the EAP session may be retained. What was fixed, or what change have occurredSeveral, not all, EAP now support an Note that the following changes are in the Dashboard, not in the Backend. Supporting
Checking The backend sees these configuration flags as well and will react with errors should the dashboard try to
Areas or cases that should be tested
What areas could experience regressions
Are the repro steps accurate/minimal? |
Issue:
See #38494
This work is co-dependent on the UI work tracked at rancher/dashboard#10941
Problem
SURE 3572
Solution
AuthConfig
,SamlConfig
with the proposed flags about SLO (supported
,enabled
,forced
).supported
flag might be nonsense.SamlConfigLogoutInput
, and...Output
. Same fields as the knownSamlConfigTest...
structures. Hold the request/response data from/to the UI for thelogoutAll
action (see below).tokens
API should export a new actionlogoutAll
.KNOWN ISSUES: Does not guard against call of regular logout when SLO is forced.
Does guard against forced but not enabled, and call to logout-all when not enabled.
Testing
Engineering Testing
Manual Testing
Automated Testing
Summary: TODO
QA Testing Considerations
Regressions Considerations
TODO
Existing / newly added automated tests that provide evidence there are no regressions: