Preserve original URL after logout caused by session timeout for all supported authentication providers #70398
Labels
blocked
enhancement
New value added to drive a business result
Feature:Security/Authentication
Platform Security - Authentication
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
azasypkin
added
blocked
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently we preserve original URL only for basic/token authentication providers (#57157), but we don't do this for others (SAML, OpenID Connect, Kerberos, PKI). The main reason is that supporting this for SSO is a bit tricky when Single Logout is used and user is redirected back and forth between Identity Provider (IdP) and Kibana.
There are a number of places where we can lose original URL and hence we need a reliable way to store it somewhere: IdP drops it if we try to store it in the URL like we do for basic/token, we may hit cookie size limit (~4KB, and Kibana URLs are very long usually) if we store it in the cookie, keeping it in the session/local browser storage would make it hard to retrieve it on the server side where we validate redirect URLs etc. The plan is to store it in the session index we'll introduce in #17870. Another prerequisite is #69506.
Note:
Logged Outview should be able to deal withnextparameter.Blocked by:
#17870, #69506The text was updated successfully, but these errors were encountered: