Support SAML Single Logout (SLO)

Question

Support SAML Single Logout (SLO)

richard-cox opened this issue a month ago · comments

Richard Cox commented a month ago

SURE-3572

Users currently only log out from local auth, or in the case of SSO external auth providers just clear local content and direct the user back to log in page... they are not signed out of the external auth provider.
Some customers have requested that Logging out of rancher should also log them out of the external auth provider
This only makes sense for some auth providers, and in a limited way
Linked SURE details how this should work, but briefly
- Should be configurable (admins can enable / disable)
- Can be optional (admins can choose to force it, or allow both types of logout)

Andreas Kupries · Answer 1 · Mon May 06 2024 21:27:06 GMT+0800 (China Standard Time)

Info from the referenced PR:

Extended AuthConfig, SamlConfig with the proposed flags about SLO (supported, enabled, forced).
1. Based on the CRD setup the supported flag might be nonsense.
2. As in, cannot be set into the initial AuthConfig CR instances. UI may have to simply know that only the SAML providers support SLO, and none of the others.

New structures SamlConfigLogoutInput, and ...Output. Same fields as the known SamlConfigTest... structures. Hold the request/response data from/to the UI for the logoutAll action (see below).

The tokens API should export a new action logoutAll.

Basic implemention of the logout flow. Compiles, untested.

Linkage between token manager and saml to invoke the flow from the frontend

KNOWN ISSUES: Does not guard against call of regular logout when SLO is forced.
Does guard against forced but not enabled, and call to logout-all when not enabled.

I hope that is enough to get UI work somewhat started, even without a Rancher image containing this.

Giuseppe Leo · Answer 2 · Wed May 15 2024 23:38:40 GMT+0800 (China Standard Time)

FYI we do not have logout tests with credentials

Gary A Korhonen · Answer 3 · Fri May 31 2024 23:55:31 GMT+0800 (China Standard Time)

@richard-cox with what else is on your 2.9.0 plate, is this something that @aalves08 can pick up?

Richard Cox · Answer 4 · Mon Jun 03 2024 16:06:58 GMT+0800 (China Standard Time)

Happy to hand over and offer guidance if needed

Alexandre Alves · Answer 5 · Fri Jun 07 2024 18:38:07 GMT+0800 (China Standard Time)

@rancher/docs the documentation for rancher manager will need updating in regards to how they should configure the Single Logout on each of the SAML providers. Ex: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml

Final UX will be coming soon (PR #11182 is still WIP)

Sunil Singh · Answer 6 · Fri Jun 07 2024 23:31:34 GMT+0800 (China Standard Time)

Hello @aalves08, I have created a docs issue for this and any docs related questions or comments can be directed there. Thank you!