Logout Support on SP and Application



Similar documents
Single Logout. TF-EMC Vienna 17 th February Kristóf Bajnok NIIF Institute

Single Log-Out. Andreas Åkre Solberg Malaga, June 2009

Connected Data. Connected Data requirements for SSO

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Configuring. SugarCRM. Chapter 121

Logout in Single Sign-on Systems

Single Sign-On for the UQ Web

Authentication Methods

Safewhere*Identify 3.4. Release Notes

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Configuring. Moodle. Chapter 82

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Federated Identity Management

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Shibboleth Identity Provider (IdP) Sebastian Rieger

SAML Security Option White Paper

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring. SuccessFactors. Chapter 67

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Federated Identity Management

Configuring SuccessFactors

Egnyte Single Sign-On (SSO) Installation for OneLogin

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

SAP NetWeaver AS Java

OpenLogin: PTA, SAML, and OAuth/OpenID

OpenSSO: Cross Domain Single Sign On

SAML single sign-on configuration overview

Agenda. How to configure

Configuring Parature Self-Service Portal

PHP Integration Kit. Version User Guide

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

SAML-Based SSO Solution

SAML Authentication Quick Start Guide

Using SAML for Single Sign-On in the SOA Software Platform

Configuring Salesforce

IBM WebSphere Application Server

Deploying RSA ClearTrust with the FirePass controller

PARTNER INTEGRATION GUIDE. Edition 1.0

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

The increasing popularity of mobile devices is rapidly changing how and where we

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Shibboleth User Verification Customer Implementation Guide Version 3.5

Weblogic as a Service Provider for CERN Web Applications: APEX & Java EE

Perceptive Experience Single Sign-On Solutions

Operating Level Agreement for NYU Login Service

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Flexible Identity Federation

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Single Sign On Integration Guide. Document version:

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Copyright: WhosOnLocation Limited

How To Use Saml 2.0 Single Sign On With Qualysguard

SAML Single-Sign-On (SSO)

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Getting Started with AD/LDAP SSO

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

HP Software as a Service. Federated SSO Guide

Using Shibboleth for Single Sign- On

SAML Authentication within Secret Server

Department Service Integration with e-pramaan

Evaluation of different Open Source Identity management Systems

OIOSAML Rich Client to Browser Scenario Version 1.0

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Single Sign On. SSO & ID Management for Web and Mobile Applications

WebNow Single Sign-On Solutions

OIOSAML 2.0 Toolkits Test results May 2009

Working with Indicee Elements

Authentication and Single Sign On

Microsoft Office 365 Using SAML Integration Guide

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Shibboleth N-Tier Support. Chad La Joie

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Internet Information Services Integration Kit. Version 2.4. User Guide

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Integrating Multi-Factor Authentication into Your Campus Identity Management System

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

Egnyte Single Sign-On (SSO) Installation for Okta

SAML v2.0 for.net Developer Guide

CA Nimsoft Service Desk

SAML Authentication with BlackShield Cloud

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

USC Marshall School of Business ShareFile_With_Outlook_Client_v2.docx 6/12/13 1 of 9

This section includes troubleshooting topics about single sign-on (SSO) issues.

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

JOSSO 2.4. Internet Information Server (IIS) Tutorial

Department Service Integration with e-pramaan

Transcription:

Logout Support on SP and application Logout Support on SP and Application Possibilities and and Limitations SWITCHaai Team aai@switch.ch Single Logout: Is it possible? Single Logout will work only in some cases reliably! The only safe ways to log out from all applications are: to delete all session cookies Have fun explaining an average user how to to this with his browser Won t log you out if authenticated via Basic Auth, X.509 certificates, or the recommended way: exit the web browser! Quickest, most reliable and easiest way to explain Also logs users off from Facebook etc. :-) But: Some modern browsers even restore transient sessions on restart (depending on the settings) 2

Agenda Single Logout in Federation Single Logout Issues Single Logout for SP Single Logout for IdP Support Resources 3 Single Logout in Federation Users access multiple services, but need to login once only They might be logged in to multiple services... but how do they logout again from all services? The solution seems to be easy: The user initiates the single logout process The user is logged out from all services and the IdP in turn But: Where does the user start the single logout process? Who knows all of the services the user is currently logged in? Should the user be logged out from all services in the federation, or also from Google Mail, Facebook, etc.? What happens if an error occurs during the whole logout process? Logout will be possible but it has a lot of limitations! 4

SAML 2 SLO Messages and Flow SAML 2 SLO may be initiated by either the Identity Provider (IdP) or the Service Provider (SP) SP-initiated SLO: An SP sends a logout request to the IdP At the IdP, for each SP to which the user has authenticated: The IdP sends a logout request to the SP The SP attempts to destroy its session for the user and sends back a logout response indicating if this was successful The IdP destroys its session for the user The IdP sends a logout response to the initiating service provider, which then destroys its session It is the responsibility of the SLO initiator to provide the user with information about whether SLO has succeeded or failed. 5 SLO Issues: User Experience What does a user expect when clicking on logout? Logout only from this single application? Is of little use because of Single Sign On Logout from all applications where logged in? Which? Also from Google Mail, ebay and other non AAI applications? Therefore: Users must understand the consequences of logout Must know that they currently are signed in to a single sign-on (SSO) system and what will result from clicking on logout Users must always know if logout has completely succeeded Otherwise they may assume that it has and leave the computer, allowing someone else to erroneously access a service 6

SLO Issues: Logged in vs. Logged out What defines if a user is logged in via AAI/application? Shibboleth session cookie Application session cookie (optional) Some applications only check if user was authenticated via AAI What is necessary to log out a user? Delete Shibboleth and application cookies (front-channel) Only possible when user s browser is involved Administrative logout not possible Or delete session information on server (back-channel) Only possible if user s Shibboleth sessionid is known in application Implies adaptation of application 7 SLO Issues: Technical Difficulties (1) Front-Channel vs. Back-Channel problems Front-Channel: Protocol flow via browser Process might break User might get confused Back-Channel: Direct communication between SP and IdP User's session cookie is not available SAML 2 vs. SAML 1 Only SAML 2 supports single logout There are still some Service Providers in SWITCHaai that support SAML 1 only (e.g. some publishers) The user will not get logged out from SAML 1 services 8

SLO Issues: Technical Difficulties (2) SP session vs. application session The SP and the web application often manage separate sessions SLO must make sure that both sessions are destroyed 9 The two flavors of logout Local logout User s session is deleted only for one Service Provider Not of much use due to Single Sign-On (SSO) Or "egoistic" if IdP session also is bilaterally deleted but all other SP s session are still intact. Global logout = Single Log Out (SLO) User s SSO session deleted on IdP and all SPs For authentication methods like HTTP Basic Auth or some external authentication systems, the IdP cannot destroy the SSO session! Only safe way for logout is to cleanly exit the web browser or even to logout from the system! 10

Example SLO Scenario wayf.switch.ch ethz.ch zhaw.ch! 5 AAI Sessions = 5 AAI Cookies! 1 at IdP (uzh.ch)! 3 at SPs (zhaw.ch, ethz.ch, uzh.ch) but applications also have a cookie! 1 at WAYF/DS (wayf.switch.ch) uzh.ch 11 How to get rid of sessions? SP "just" needs to delete all cookies that identify session Impossible for Service Provider because cookies probably are for different domains or hosts Redirect browser to each SP, IdP and WAYF in order to delete cookies (front-channel logout) What happens if one host is down? User is stranded Use IFRAMES to send browser to all components Solves some of the technical issues but administrative logout (force logout of a malicious user) still is not possible 12

Current state of SLO in Shibboleth (1) SLO requires: SAML 2 (Shibboleth 2) Built-in form-based username/password authentication method Shibboleth Service Provider 2.5.x Supports local and global logout Shibboleth Identity Provider 2.4.x Supports local and global logout Doesn't support "full" SAML 2 logout, i.e. doesn't support logout from multiple Service Providers 13 Current state of SLO in Shibboleth (2) Adapted Applications: Worldwide there are less than 10 applications that already are ready to support SAML 2 logout (incl. Moodle, ILIAS, Resource Registry) 14

Enabling Single Logout on the SP Enable SLO for SP to support global logout: Add "SAML2" to the existing <Logout> element in the Shibboleth SP configuration in /etc/shibboleth/ shibboleth2.xml <Logout>SAML2 Local</Logout>! SAML 2 logout is initiated by accessing the following URL: https://ilias.example.com/shibboleth.sso/logout! If the IdP supports SAML 2 logout, too, then SAML 2 logout starts. Else, local logout is done. By default, the IdP doesn't return to the SP SP can be configured to force returning (IdP possibly returns with "partial logout" status) 15 Enabling Single Logout in the web application If the application manages its own session, it needs to be adapted or configured to support single logout The application needs to implement a "logout notification handler" https://wiki.shibboleth.net/confluence/display/shib2/slowebappadaptation SP notifies the application about logout through a "back-channel" Application needs to destroy the session Some applications, like Moodle and ILIAS, have built-in support (see documentation) Notification must be enabled in the Shibboleth SP configuration in /etc/shibboleth/shibboleth2.xml <Notify Channel="back" Location="https://ilias.example.org/.../shib_logout.php/>! 16

Enabling Single Logout on the IdP Requires Shibboleth IdP version 2.4.0 or higher Configure IdP to support SAML 2 SLO: Relying Party SAML 2 Logout Request Profile in relyingparty.xml! Configure SAML 2 SLO handlers in handler.xml! Implement logout page in logout.jsp! Final landing page after SLO Tells user the results of the logout 17 Example Landing Page on IdP 18

Conclusion Single Logout is partially possible Works well if user is logged in to one application only It's still better to get logged out from the IdP than not to logout at all 19 Support Resources Single Logout Issues https://wiki.shibboleth.net/confluence/display/shib2/sloissues Single Logout for Shibboleth SP Configuration of SP Logout Initiator https://wiki.shibboleth.net/confluence/display/shib2/ NativeSPLogoutInitiator Adaptation of Web Application https://wiki.shibboleth.net/confluence/display/shib2/ SLOWebappAdaptation Logout notification to application https://wiki.shibboleth.net/confluence/display/shib2/nativespnotify Single Logout for Shibboleth IdP https://wiki.shibboleth.net/confluence/display/shib2/idpenableslo 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information