Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-643

Back Channel Single Logout does not work reliably

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • PLINK_2.7.0.Final
    • PLINK_2.5.3.Beta1
    • SAML
    • None
    • Hide
      • Login to multiple SPs using the same IdP
      • Use the Single Logout URL on a single SP
      • Verify that all SPs have been logged out
      • Log back into the SP from the same browser
      • Refresh the other SPs and ensure they are logged back in
      • Retry the Single Logout URL
      • Refresh the other SPs and they will not still be accessible
      Show
      Login to multiple SPs using the same IdP Use the Single Logout URL on a single SP Verify that all SPs have been logged out Log back into the SP from the same browser Refresh the other SPs and ensure they are logged back in Retry the Single Logout URL Refresh the other SPs and they will not still be accessible

      The Single Logout URL ( $SP/GLO=true ) will usually work for the first logout in a clean browser, and then fails if the user logs back in and tries GLO again.

      When it works, this is the flow:

      Get $SP/GLO=true > 200
      Post SAML LogoutRequest to IdP > 200
      [ SAML LogoutResponse shows up in IdP server.log ]
      Post SAML LogoutResponse to SP > 200
      Get $SP/null > 200
      Browser is left at the IdP login screen with a new AuthnRequest

      When it does not work, this is the flow:

      Get $SP/GLO=true > 200
      Post SAML LogoutRequest to IdP > 200
      [ SAML LogoutResponse DOES NOT show up in IdP server.log ]
      Browser is left at the IdP login screen with a SAML LogoutRequest
      OR
      Browser is left at the $SP/null screen and never redirects to IdP login screen

      If the login credentials are entered, then the browser Posts a SAML LogoutResponse to the SP OR the browser is left at $SP/null and
      protected resources are still accessible.

      Once the logout flow stops working properly, it seems like there are basically no ways to get it working again in the same browser.
      The browser sits at the IdP login screen with the SAML LogoutResponse ready to POST, but it won’t post until login credentials are provided. Once the credentials are provided though, the session is logged back in.

            psilva@redhat.com Pedro Igor Craveiro
            dparsons_jira Danny Parsons (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: