Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLO configuration (idp_slo_service_url vs single_logout_service_url) #243

Open
morissetcl opened this issue Nov 21, 2023 · 1 comment
Open

SLO configuration (idp_slo_service_url vs single_logout_service_url) #243

morissetcl opened this issue Nov 21, 2023 · 1 comment

Comments

@morissetcl
Copy link

morissetcl commented Nov 21, 2023
edited
Loading

Hey!

I am trying to use the SLO feature.

For context, I want to disconnect a user from my application who has been logged in via SAML from the Google Workspace UI. Basically, by disconnecting the user from the device tab or resetting the user's login cookies. This works well to disconnect the user from their Gmail, for example, but it's not reflected in the application where they were logged in using SAML.

Below my config

# devise.rb

  config.saml_configure do |settings|
    settings.assertion_consumer_service_url     = "#{Rails.application.secrets.saml_server_url}/users/saml/auth"
    settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    settings.name_identifier_format             = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    settings.issuer                             = "#{Rails.application.secrets.saml_server_url}/users/saml/metadata"
    settings.authn_context                      = ""
    settings.idp_slo_service_url                = "#{Rails.application.secrets.saml_server_url}/en/universal/logout"
    settings.idp_sso_target_url                 = Rails.application.secrets.saml_google_auth[:sso_url]
    settings.idp_cert_fingerprint               = Rails.application.secrets.saml_google_auth[:idp_cert_fingerprint]
    settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha256"
  end

My questions:

  • When I go to /saml/metadata I have
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_8cbd683b-9c94-466b-9d15-2f582892db31" entityID="https://my-website.com/users/saml/metadata">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-website.com/users/saml/auth" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

I will expect to have information related to idp_slo_service_url but there is nothing. I went through the ruby-saml gem and I found out that they use the single_logout_service_url settings instead of idp_slo_service_url.
When I do the change I have the following metadata

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_0e864883-081d-4aa5-930c-1a77daef99a3" entityID="https://admin.localhost:3000/users/saml/metadata">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://admin.localhost:3000/users/saml/idp_sign_out" ResponseLocation="https://my-website/users/saml/idp_sign_out"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my-website/users/saml/auth" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

I have the SingleLogoutService info.

What do you think about that? Is single_logout_service_url should be used instead of idp_slo_service_url?

  • I am not 100% confident (and I am a bit confused TBH) of what should be the value of idp_slo_service_url. Should it be an url redirecting to an universal logout action (I use something like this) or users/saml/idp_sign_out ?

Thanks for your help.
@morissetcl morissetcl changed the title Single Log Out configuration (idp_slo_service_url vs single_logout_service_url) SLO configuration (idp_slo_service_url vs single_logout_service_url) Nov 21, 2023
@adamstegman
Copy link
Collaborator

idp_slo_service_url should be set to an SLO URL that Google gives you, not one local to your application—after signing out of your application, the SP, the user will be redirected there to complete the logout in the IdP. So I think it's not included in your metadata because it's not provided by your application.

I think single_logout_service_url may be used by Google—when a user signs out of Google, it can send a request to your application to let you know they should also be signed out of your application, the SP. Thus why it's in your metadata, in which case you shouldn't use idp_sign_out, you should probably use /users/sign_out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamstegman @morissetcl