Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SAML logout support #5762

Open
ara4n opened this issue Jul 25, 2019 · 10 comments
Open

SAML logout support #5762

ara4n opened this issue Jul 25, 2019 · 10 comments
Labels
A-SSO Single Sign-On (maybe OIDC) T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. z-feature (Deprecated Label) z-p2 (Deprecated Label)

Comments

@ara4n
Copy link
Member

ara4n commented Jul 25, 2019

According to #5130 (comment) we don't support logging out on SAML properly somehow. @slipeer can you elaborate please?
@slipeer
Copy link
Contributor

slipeer commented Jul 25, 2019
edited
Loading

I'm about Single Logout profile (page 32)
I believe that a synapse should implement SAML logout endpoint in order to revoke user's tokens when SSO logout performed.

@neilisfragile neilisfragile added z-feature (Deprecated Label) z-p2 (Deprecated Label) labels Jul 31, 2019
@mjattiot
Copy link

I have implemented a SAML logout. It's basic but it's working for my company.
I thought it might interest others so I created a pull request : #6414
I am not a SAML expert so it probably need improvement. @richvdh your comments are welcomed.

@oblak-be
Copy link

Any progress on this one?

@clokep clokep added the A-SSO Single Sign-On (maybe OIDC) label Oct 9, 2020
@richvdh
Copy link
Member

richvdh commented Dec 1, 2020

so that I don't lose them, some links explaining why SLO might not actually be very useful:

@plinss
Copy link

plinss commented Dec 1, 2020

@richvdh I accept there are issues with SLO, but it's not useless. Let's please not let that stop SLO from being implemented here.

I'm currently using Matrix/Element with SAML login, I cannot log out of Element and log back in as another account unless I switch to another application that supports SLO and log out there as well.

The situation:

  1. I log in to Element via SAML/SSO.
  2. I log out of Element.
  3. I try to log back in to Element, but as I'm still logged in via SSO, I'm immediately logged back in to the same account, with no option to select another account.

This is a horrible, and confusing, UX. I understand what's going on, and how to correct the situation, but casual users do not. This causes frustration and support calls. I accept it's not a common issue, but it is an issue.

@richvdh
Copy link
Member

richvdh commented Oct 15, 2021

related: #4158

@DMRobertson DMRobertson added the T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. label Oct 18, 2021
@clokep clokep mentioned this issue Nov 12, 2021
Closed
@jonathanmmm
Copy link

@richvdh I accept there are issues with SLO, but it's not useless. Let's please not let that stop SLO from being implemented here.

I'm currently using Matrix/Element with SAML login, I cannot log out of Element and log back in as another account unless I switch to another application that supports SLO and log out there as well.

The situation:

  1. I log in to Element via SAML/SSO.
  2. I log out of Element.
  3. I try to log back in to Element, but as I'm still logged in via SSO, I'm immediately logged back in to the same account, with no option to select another account.

This is a horrible, and confusing, UX. I understand what's going on, and how to correct the situation, but casual users do not. This causes frustration and support calls. I accept it's not a common issue, but it is an issue.

This should really be possible, if you go to a pc that is not yours and press logout, you expect to be logged out. Telling every user and reminding them that they give away their private messages for the next user at this computer is not the way to go.
Using session_timeout of some kind makes the whole point broken for users that are using their own device.

This should at least be put into homeserver.yaml as a security warning or some kind.
If I log out, I want the session to be deleted. I can still be logged into other services, until I log out of them as well.

@plinss
Copy link

plinss commented Nov 12, 2021

@jonathanmmm it’s not a matter of the Matrix session data not getting deleted, because it does get deleted when you log out.

The issue is that the log out is not communicated back to the SSO server. So the next time someone loads a Matrix client on that browser, it redirects to the SSO server which still has a valid session, so it silently logs the user back in to Matrix.

The minimum fix is for a Matrix logout to communicate the logout back to the SSO server. The complete fix is to also implement an SSO logout endpoint in Synapse, so when the user logs out of a different app using the same SSO server their Matrix session is ended too (a different, but related issue).

@jonathanmmm
Copy link

@jonathanmmm it’s not a matter of the Matrix session data not getting deleted, because it does get deleted when you log out.

The issue is that the log out is not communicated back to the SSO server. So the next time someone loads a Matrix client on that browser, it redirects to the SSO server which still has a valid session, so it silently logs the user back in to Matrix.

The minimum fix is for a Matrix logout to communicate the logout back to the SSO server. The complete fix is to also implement an SSO logout endpoint in Synapse, so when the user logs out of a different app using the same SSO server their Matrix session is ended too (a different, but related issue).

I know, this are different cases. I agree with you, I think. If I log out on a computer that is not mine I expect that I can't be logged into matrix without my password, but right now thats the case. That I have maybe to log out of service x that I have in another tab that also is logged in through OpenID Connect and it doesn't get logged out at the same time, is another story.

@clokep
Copy link
Member

clokep commented Jan 6, 2023

#11326 implemented this for OIDC, so #6414 could probably be rebased to re-use much of the existing functionality from that.

@clokep clokep mentioned this issue Jan 6, 2023
Open
@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-SSO Single Sign-On (maybe OIDC) T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. z-feature (Deprecated Label) z-p2 (Deprecated Label)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@neilisfragile @clokep @ara4n @richvdh @slipeer @plinss @DMRobertson @mjattiot @jonathanmmm @oblak-be