SSO Gateway Single Logout

In a federated SAML2 SSO environment, logging out of an application can be a complex problem based on all the SAML2 Service Providers and Identity Providers participating in a users SSO session.

SAML2 attempted to provide a standard for Single Logout (SLO), but it was never adopted by the SAML2 community due to the complex configuration required by Service and Identity Providers, and the large number of network hops required to carry out SLO across the federation.  Because of these issues, all major SAML2 identity providers including Shibboleth, PortalGuard and Ellucian provide proprietary SLO endpoints that greatly simplify the logout process. 

CCC's Single Logout solution leverages the SSO Gateway (GW) and the proprietary SSO endpoints of the College Identity Providers to achieve single logout.


A nice to have addition is to add a logout endpoint to Mitre OpenID connect to invalidate access and refresh tokens.



Logout Flow

User Clicks Logout

The user clicks logout in the Service provider (i.e Common Assessment).  Since all CCC Services use Spring Security SAML (CWF - Is this a valid assumption?)(PKN For Apps not using spring security, the will have to create custom logout code that accomplished the same thing), logging out in Spring Security will terminate both the SSO and application session.  When logout is complete, the user will be directed to the new logout page in the SSO GW.

User lands on SSO GW after Service Provider Logout

Call Logout endpoints for all known service providers

When the user lands on the SSO GW page, a series of embedded IFRAME requests will make REST call redirects to all known service provider endpoints.  If the user is not actually logged into to an endpoint, the request will be ignored.  

In a future enhancement, the SSO GW could keep track of of Service Providers the user has logged into, but this will required a longer SSO Session time in the SSO GW which could have a negative impact on SSO GW performance and cost due to the cost of caching session data for longer period of time. (CWF - The number of Service Providers is growing quickly, especially with the addition of Canvas and Hobsons SPs.  I think the cost of caching these would be minimal compared to the downside of not doing so.)

Service Provider terminates SSO and Application session

When a Service Provider receives the logout request the application session and SSO session will be terminated.  Since all CCC Applications will be using Spring Security SAML (CWF - Is this a valid assumption?), both SSO and application session termination will be handled by Spring Security SAML.

After the IFRAME requests to the Service Provider Logout endpoints, another IFRAME request will be issued to the proprietary logout endpoint of the IDP that initially authenticated the user (authsource).

SSO GW displays message to user to close the browser.

Because the SP and IDP logout request are made in embedded IFRAMES, the logout process will not be visible to the user. What is rendered is a message to the user to close there browser to ensure that they are fully logged out. (Actual text to follow)

Background

In a non-federated suite of applications where the applications and authentication mechanism is controlled by a single institution,  logout is a simple requirement to implement. 

In a federated SSO scenario, to implement logout functionality, the following must be answered:

  • Will the user be using a shared workstation/kiosk where especially important that a previous user's session not be accessible by a new user?
  • At which college/district IDP did the user authenticate?
  • If a user is logged into to multiple applications, does logging out of one application mean the user should be logged out of all applications?  For example, if the user is logged into MyPath and Canvas, does logging out of MyPath also mean the user should be logged out of Canvas?


The following article has a good explanation in the issues associated with logout in a federated environment.


For applications developed by the CCC Technology Center and its development partners, clicking the logout link in the application will result in:

  • The application containing the logout link (and SSO session if separate) terminating.
  • All other Technology center applications  (and SSO session if separate) terminating.
  • The IDP (and GW?) session terminating.
  • A final page instructing the user to close the browser.


For applications not developed by CCC i.e. Canvas or Hobsons

  • The application containing the logout link (and SSO session if separate) terminating.
  • The IDP (and GW?) session terminating.
  • A final page instructing the user to close the browser.


Reference

https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues

http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/

https://www.portalguard.com/blog/2016/06/20/saml-single-logout-need-to-know/


https://saml-resources.cccmypath.org/resources/authsources_prod.json