Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly handle Logout Response coming from SAML IdP. #69506

Open
azasypkin opened this issue Jun 18, 2020 · 3 comments
Open

Properly handle Logout Response coming from SAML IdP. #69506

azasypkin opened this issue Jun 18, 2020 · 3 comments
Labels
blocked enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@azasypkin
Copy link
Member

azasypkin commented Jun 18, 2020
edited by legrego
Loading

Summary

If Identity Provider supports SAML Single Logout (SLO) and Elasticsearch is configured to support that as well, user may be redirected to Kibana's /logout endpoint with SAMLResponse parameter that includes SAML Logout Response as the final step of the SLO.

Currently neither Kibana nor Elasticsearch can properly consume that logout responses, but Elasticsearch will be able to do so soon (elastic/elasticsearch#56316). Until then users may have a very confusing experience during logout: when at the final stage of SLO Kibana receives logout response user will be redirected to the Kibana home page that will automatically trigger new SAML authentication (or redirect to Login Selector if multiple providers are configured). And if IdP isn't forced to re-athenticate user every time user will be automatically logged in again. For users that are not aware of such behavior it may look like logout didn't work at all.

The fix for this behavior consists of three stages:
@azasypkin azasypkin added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Security/Authentication Platform Security - Authentication labels Jun 18, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin azasypkin mentioned this issue Jun 23, 2020
Merged
@azasypkin azasypkin mentioned this issue Jul 1, 2020
Closed
@azasypkin azasypkin added the enhancement New value added to drive a business result label Jul 1, 2020
@mshustov mshustov mentioned this issue Sep 22, 2020
Closed
@legrego
Copy link
Member

legrego commented Oct 16, 2020

Once Core's HttpResources can support POST method in addition to GET we can handle SLO Responses coming via both HTTP-Redirect and HTTP-POST bindings

@azasypkin / @restrry do either if you know if there is an issue for this yet that we can track?

@mshustov mshustov mentioned this issue Oct 16, 2020
Open
@mshustov
Copy link
Contributor

@legrego created #80822

@azasypkin azasypkin mentioned this issue Nov 26, 2020
Merged
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 5, 2021
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@azasypkin @mshustov @legrego @elasticmachine