Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-643

Back Channel Single Logout does not work reliably

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • PLINK_2.7.0.Final
    • PLINK_2.5.3.Beta1
    • SAML
    • None
    • Hide
      • Login to multiple SPs using the same IdP
      • Use the Single Logout URL on a single SP
      • Verify that all SPs have been logged out
      • Log back into the SP from the same browser
      • Refresh the other SPs and ensure they are logged back in
      • Retry the Single Logout URL
      • Refresh the other SPs and they will not still be accessible
      Show
      Login to multiple SPs using the same IdP Use the Single Logout URL on a single SP Verify that all SPs have been logged out Log back into the SP from the same browser Refresh the other SPs and ensure they are logged back in Retry the Single Logout URL Refresh the other SPs and they will not still be accessible

    Description

      The Single Logout URL ( $SP/GLO=true ) will usually work for the first logout in a clean browser, and then fails if the user logs back in and tries GLO again.

      When it works, this is the flow:

      Get $SP/GLO=true > 200
      Post SAML LogoutRequest to IdP > 200
      [ SAML LogoutResponse shows up in IdP server.log ]
      Post SAML LogoutResponse to SP > 200
      Get $SP/null > 200
      Browser is left at the IdP login screen with a new AuthnRequest

      When it does not work, this is the flow:

      Get $SP/GLO=true > 200
      Post SAML LogoutRequest to IdP > 200
      [ SAML LogoutResponse DOES NOT show up in IdP server.log ]
      Browser is left at the IdP login screen with a SAML LogoutRequest
      OR
      Browser is left at the $SP/null screen and never redirects to IdP login screen

      If the login credentials are entered, then the browser Posts a SAML LogoutResponse to the SP OR the browser is left at $SP/null and
      protected resources are still accessible.

      Once the logout flow stops working properly, it seems like there are basically no ways to get it working again in the same browser.
      The browser sits at the IdP login screen with the SAML LogoutResponse ready to POST, but it won’t post until login credentials are provided. Once the credentials are provided though, the session is logged back in.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. PLINK-670 Backchannel logout failing when using TLS

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              dparsons_jira Danny Parsons (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: