Server-side session tracking. This will also allow user or administrative logouts as invalid or non-existent sessions will require authentication.
Per Simo: in SAML logout means you keep track of all logged in SPs, then go and contact each of them and log the user out of them. afaik mod_auth_mellon supports it.
One can define a logout URI in the SP metadata but currently this only logs the user out of mod_auth_mellon. The call to lasso_logout_init_request() returns LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE.
Which of course is completely expected since the IdP doesn't register a SLO service endpoint. I added one to the metadata and now mod_auth_mellon attempts a logout.
It looks like this:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<a href="https://gyre.example.com/idp/saml2/SLO/Redirect"/">https://gyre.example.com/idp/saml2/SLO/Redirect"/>
_comment0: Which of course is completely expected since the IdP doesn't register a SLO service endpoint. I added one to the metadata and now mod_auth_mellon attempts a logout.
It looks like this: {{{ <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<a href="https://gyre.example.com/idp/saml2/SLO/Redirect"/">https://gyre.example.com/idp/saml2/SLO/Redirect"/> }}} => 1420829277757134
Fields changed
owner: simo => rcritten status: new => accepted
milestone: => 1.0 m1
The documentation I used to implement this included the SAML 2.0 profiles document, http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf , and the Lasso Session, Login and Logout API pages at http://lasso.entrouvert.org/documentation/api-reference/index.html
I'm only implement SP-initiated logout using HTTP Redirect, relying on the user-agent to handle contacting each SP.
patch_available: => 1
Pushed to master. Commit IDs: c327645 d1779f7 d87d8df ac1bae1 7b0f5a1
resolution: => fixed status: accepted => closed
rhbz: => 0
Metadata Update from @nkinder: - Issue assigned to rcritten - Issue set to the milestone: 1.0 m1
Login to comment on this ticket.