-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] SAML Single Logout not implemented #38494
Comments
SURE-3572 |
Research StatusRancher processes UI logout requests in The existing code removes the relevant cookies from the browser and deletes the Rancher Token This part has to be expanded to perform the SAML logout as well. It is not possible to directly call into the This can be solved by extending the Setting the callback to a suitable function during auth provider setup means that this function has The logout workflow is like the SSO a back and forth between the various components, i.e. Rancher, It was attempted to avoid the latter by directly fetching the logout redirect url from within This failed with KeyCloak (the IdP used for testing) returning an And with a proper redirect through the browser this kind of cookie should then be picked up and Today this was tried, i.e. the code for the callback rewritten to have access to the initial logout This also failed, to the point that KC did not even record any logout request, something which At this point I suspect that the Rancher UI fails to properly handle the redirect request we If that is true it means that the extended logout will require UI changes too. Although it is not known to me yet where such changes have to happen. This requires research into the UI code. |
@gaktive can we get someone from your team to assist on Andreas research here? |
I've added a comments to the JIRA issue. We might need to step back and plan this a bit more |
Related UI ticket: rancher/dashboard#10941 |
Rancher Server Setup
Information about the Cluster
Describe the bug
When integrating Rancher 2.6.6 with a SAML provider (we tried with Keycloak and Shibboleth), after a logout, if the user presses F5, he/she gets to login again without providing his/her credentials.
To Reproduce
Result
The user logs in again without providing credentials
Expected Result
Rancher should ask for your credentials
Additional context
Looking at the code (in pkg/auth/providers/saml), we are missing a single logout handler.
https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline
The text was updated successfully, but these errors were encountered: