Shibboleth single logout

Hi,

We are on 5.1.4 pro version and some of our users uses Shibboleth authentication.
I noticed that the logout button efficiently logs the user out of Seafile, but not from the Shibboleth Service Provider (SP). Any attempt to re-log in Seafile will lead to an implicit login from the SP, because the user is not totally logged out.
I know that single logout can be impemented from the application to the SP : do you plan to modify the lougout button in order to add the SP url in the logout process ?

Regards,
Gautier

Hi,

This is an interesting idea. I did some investigation and found this discussion https://docs.shib.ncsu.edu/docs/logout.html. It seems that it requires the IdP to support logging out current SP session too. Is this what you intend to do?

Hi,

This issue is complex.
The Single Logout process is divided in two parts :

1. From the applicatio to the SP (incomplete logout)
   2 From the SP to the IDP (complete logout)

For the moment, Renater Federation (In France) only allows the 1st step, but it may allow the second step in the next weeks/months. That’s what we’d like to do. It is mainly achieved by means of handler url + lazy sessions (into apache)

I presume that you can concentrate on the first step (application to SP), and we’ll see what is to be done next when SP to IDP logout will be possible in our case.

You may found complementary information on SWITCHAAI web site (Swiss federation) : https://www.switch.ch/aai/support/presentations/update2016/07_logout/shib_single_logout.html#6.
Renater federation is very close to Switch implemenation and GEANT Federation

Regards,

Gautier

Thanks for the information! We’ll add this to our roadmap.

HI @Jonathan,

Did you investigate further on this issue ?
I’m sure it will be interesting for all universities using shibboleth.
Regards,
Gautier

Sorry we haven’t had time to implement this right now. But we’ve investigated the solution and sure will support it in the future.

Jonathan can you please give us an update on this ? It’s not really secure to implement Shibboleth login if logging out from Seafile does not log you out from the SP. An implicit login when logged out but still having a Shibboleth session open is keeping us away to implement single sign on. It would be a great help if you can take this into consideration.
Of course we could just ping /Shibboleth.sso/Logout in the Seahub logout page, but will be kind of an improper hack, and also not officially supported.

That’s what is needed for a SingleLogout action (This is PHP code, just as an example)

    /**
     * @Route("/logout", name="lightsaml_sp.logout")
     */
    public function logoutAction()
    {
        $logoutRequest = new LogoutRequest();
        $destination = $this->getParameter('sp_location'). "/SLO/POST";
        // Get credential to for Logout signature
        $credentialStore = $this->get('lightsaml.own.credential_store');
        $credentialArray = $credentialStore->getByEntityId('https://sso.local/metadata');
        $credential = $credentialArray[0];
        $ownSignature = new SignatureWriter($credential->getCertificate(), $credential->getPrivateKey());

        $logoutRequest
            ->setDestination($destination)
            ->setID(\LightSaml\Helper::generateID())
            ->setIssueInstant(new \DateTime())
            //the parameter "saml.entity_id" must contain your Service Provider ID
            ->setIssuer(new Issuer($this->getParameter('idp_entity_id')))
            ->setNameID(new \LightSaml\Model\Assertion\NameID(
                'yourEmail@seafile.com',
                SamlConstants::NAME_ID_FORMAT_EMAIL
            ))
            ->setSignature($ownSignature);
        $serializationContext = new SerializationContext();
        $logoutRequest->serialize($serializationContext->getDocument(), $serializationContext);
        $XMLrequest = $serializationContext->getDocument()->saveXML();
        $reponse = new SamlPostResponse($destination, ['SAMLRequest' => base64_encode($XMLrequest)]);
        $reponse->renderContent();
        return $reponse;
    }

That’s a proper Logout setting the NameID of the logged out user. Another simple way if local Logout is implemented is to send a request to Shibboleth.sso/Logout but I bet in most good configured SPs that is not possible.

Hi @martinberlin we’ll add this into our schedule. But currently there is no ETA for it.

Hi @Jonathan,

I note that you already answered this one year ago.
Please consider also this issue in you devs. I think it si quite similar.

Regards,
Gautier

I’d like to bump this and extend the scope to OAuth/OpenID Connect. As far as I can tell from the code, this has already been implemented for SAML/Shibboleth (thanks!) but not for OpenID Connect. I have created a pull request to address this (Enable single sign out when using OpenID Connect by MJochim · Pull Request #4154 · haiwen/seahub · GitHub). Any comments are of course welcome, I hope it meets your expectations.

I want to emphasize that this is crucial for security, because users expect to be safely logged out when Seafile tells them this:

Thanks for your participation! Log in again

However, this is not currently the case with OAuth SSO. Someone else at the same computer can just press “log in again” to instantly be logged into the previous user’s account – no need to enter a password as long as the SSO session has not expired.

One thing that I have not addressed in my pull request is that the user should be logged out from Seafile when the SSO session expires, or when the user logs out from this session in a frontend that is not Seahub (e.g. the OpenID Provider’s web interface). This can be achieved most reliably by embedding an iframe from the OpenID Provider in Seahub. See the corresponding implementer’s draft at Final: OpenID Connect Session Management 1.0, especially sections 1 and 4. I would like to contribute a pull request for this as well, but I am afraid I will not have the time to do it soon, as it requires changes to Seahub’s frontend and I have never used its build system.