Logout handlers and reauthentication
267 views
Skip to first unread message
cic...@gmail.com
Sep 27, 2021, 11:13:09 AM9/27/21
to SimpleSAMLphp
Hi,
I have a question on implementing logout functionality in modules in correlation with re-authentication (forced authentication when user is already logged in).
I'm implementing logout for OpenID Connect (OIDC) module https://github.com/simplesamlphp/simplesamlphp-module-oidc/.
During user authn, I save association with particular Relying Party (RP, Service Provider (SP) counterpart in SAML) using \SimpleSAML\Session::setData(...), and also registered a logout handler function using \SimpleSAML\Session::registerLogoutHandler(...).
In my registered logout handler function I retrieve all saved RP associations and send an OIDC logout requests to them so that each RPs can clear their local session.
Up to now, this all works fine - whenever I call $session->doLogout($authSourceId),
my logout handler gets called and logout requests to RPs are successfully sent.
However, I have problems with re-authentication. For instance, OIDC client can request authentication using
promt=login
parameter even if the user is already authenticated (similar to 'forceAuthn' in SAML).
So, when I get promt=login, I do authentication again, for example using - \SimpleSAML\Auth\Simple::login($authSourceId). However, the problem is - in the process it comes down to \SimpleSAML\Session::doLogin($authSourceId), and in that method there is a check
```
if (isset($this->authData[$authority])) {
// we are already logged in, log the user out first
$this->doLogout($authority);
// we are already logged in, log the user out first
$this->doLogout($authority);
}
```
So, the logout gets called, and again, my logout handler gets called which in turn sends logout requests to all RPs (which I don't actually want for re-authentication)...
What I'm trying to do is to make OIDC module handle logout for OIDC RPs whenever
a logout is called on particular authentication source. For example, a user performs authn using SAML on some SP and also performs authn using OIDC on some RP. Then, user initiates logout using SAML on SP - in this case I also want to send OIDC logout requests to authenticated RPs...
My questions are:
* is the registered logout handler function the right place to send logout requests to RPs? If not, where else?
* is there a way to do re-authentication without doing logout, that is without calling logout handlers?
Any other advice is welcome...
Thank you in advance
Marko Ivančić
Peter Schober
Sep 27, 2021, 12:13:13 PM9/27/21
to SimpleSAMLphp
* cic...@gmail.com <cic...@gmail.com> [2021-09-27 17:13]:
That's likely how you should be doing it for other protocols.
I believe if SSP currently issued SAML SLO requests to all accessed
SPs only because of one incoming authn request with forcedAuthn set
we'd have heard about this. ;)
-peter
> * is there a way to do re-authentication without doing logout, that
> is without calling logout handlers?
How is this being handled for SAML authn requests with forceAuthn set?
> is without calling logout handlers?
That's likely how you should be doing it for other protocols.
I believe if SSP currently issued SAML SLO requests to all accessed
SPs only because of one incoming authn request with forcedAuthn set
we'd have heard about this. ;)
-peter
har...@adelphi.edu
Sep 27, 2021, 6:43:45 PM9/27/21
to SimpleSAMLphp
I ran into the same issues as Marko. The SAML IDP has some extra support with Session->addAssociation() but that feels like an internal interface. IIRC with iframe logout, SSP tries to lookup the SP metadata making it awkward to use with another protocol. I ended up using addAssociation and making a fake saml20-sp-remote entry for my protocol.
Session->registerLogoutHandler() feels like it was intended for SPs. On re-auth https://github.com/simplesamlphp/simplesamlphp/blob/master/lib/SimpleSAML/Session.php#L608 calls those logout handlers. I couldn't find a way to support forced auth and use registerLogoutHandler() to do single logout for another protocol.
cic...@gmail.com
Sep 28, 2021, 4:53:04 AM9/28/21
to SimpleSAMLphp
Thank you all for comments!
Peter, yes, actually we mimick the way SSP does it when 'forceAuthn' is set.
For SSP, in lib/SimpleSAML/IdP.php https://github.com/simplesamlphp/simplesamlphp/blob/d73ae47431cb660e652bd2f4adbf8d2b3b4e9e68/lib/SimpleSAML/IdP.php#L389
I see:
```
if (isset($state['ForceAuthn']) && (bool) $state['ForceAuthn']) {
// force authentication is in effect
$needAuth = true;
```
Later it calls login on auth source, which is of class
Auth\Simple:
```
$this->authSource->login($state);
```
In oidc module we also use the Auth\Simpe and basically do the same thing: https://github.com/simplesamlphp/simplesamlphp-module-oidc/blob/69e51a899911e70d973981291ddaa903b3b8888c/lib/Services/AuthenticationService.php#L108
James, thanks for your feedback on this. Kudos for faking sp-remote entries... I wouldn't go that far :)... I would be afraid to polute SAML operations for implementations which include SAML and other protocols together...
My current conclusion is that logout handler registration is not intended for the example use case of sending OIDC logout requests to RPs... For that reason I guess I will currently do OIDC logout and send logout requests to RPs only if logout is initiated using OIDC protocol.
I would still like to implement solution that would gracefully do logout and re-authentication for any used protocol (SAML, CAS, OIDC... meaning If users logs out of SAML SP, it would also log him out of and OIDC RP, etc.), so I'm still open to any suggestion....
Best regards and thank you for the great work on SimpleSAMLphp!
Peter Schober
Sep 28, 2021, 6:14:14 AM9/28/21
to SimpleSAMLphp
> I have a question on implementing logout functionality in modules in
> correlation with re-authentication (forced authentication when user is
> already logged in).
Note that there is a mailing list "for people developing or extending
> correlation with re-authentication (forced authentication when user is
> already logged in).
SimpleSAMLphp" mentioned at the end of https://simplesamlphp.org/lists
Maybe you'll get implementation advise there.
I still don't understand what prompt=login/forceAuthn has to do with
logout (if that's being used anywhere in that context it's a kludge,
IMHO) but of course it's easy to agree with your assessment that all
features should ideally work the same across all supported protocols.
-peter
cic...@gmail.com
Sep 28, 2021, 8:26:38 AM9/28/21
to SimpleSAMLphp
When I try to access / subscribe to that list I get 'content unavailable error'...
In short, the problem is that if I try to re-authenticate (call login if user is already authenticated), session logout is called which in turn calls any session logout handlers registered (I didn't expect that logout would be called if I do re-authentication).
pat...@cirrusidentity.com
Sep 29, 2021, 4:28:47 PM9/29/21
to SimpleSAMLphp
Hi Marko,
I too was curious about what Peter said about Force auth not causing logout issues with SAML IdPs. It looks like SSP doesn't register any logout handlers, so that code path doesn't get invoked. Vanilla SSP relies on logout being explicitly invoked from the SLO www page or via `$auth->logout()`
I think your idea for doing multi-protocol logout would be nice. However I can rarely get single protocol SAML logout to work consistently across SPs, so doing protocol switching may be hard to get working outside of a test environment.
As to your issue... I'm not sure. The logout handler doesn't seem to have any contextual information available to it for it to determine if it got invoked from an explicit logout or from a force re-auth.
- Patrick
Reply all
Reply to author
Forward
0 new messages