Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SAML SLO in the WebUI #43071

Merged
merged 2 commits into from
Jun 24, 2024
Merged

Add support for SAML SLO in the WebUI #43071

merged 2 commits into from
Jun 24, 2024

Conversation

rudream
Copy link
Contributor

@rudream rudream commented Jun 15, 2024
edited
Loading

Purpose

Resolves #41076

e counterpart: https://github.com/gravitational/teleport.e/pull/4409

This PR adds support for SP-initiated SAML SLO (single logout) in the WebUI (tsh will be a separate PR). If a single_logout_url (which is obtained from the IdP) is configured in the SAML auth connector, when a user logs out of Teleport, they will also be logged out of their identity provider.

changelog: Add support for SAML single log-out

@rudream rudream force-pushed the yassine/saml-slo branch 4 times, most recently from b236824 to f80e08f Compare June 18, 2024 03:16
@rudream rudream marked this pull request as ready for review June 18, 2024 03:17
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions github-actions bot requested review from avatus and gzdunek June 18, 2024 03:17
gzdunek
gzdunek reviewed Jun 18, 2024
View reviewed changes
api/proto/teleport/legacy/types/types.proto Outdated Show resolved Hide resolved
lib/web/ui/usercontext.go Outdated Show resolved Hide resolved
lib/web/ui/usercontext.go Outdated Show resolved Hide resolved
web/packages/teleport/src/stores/storeUserContext.ts Outdated Show resolved Hide resolved
web/packages/teleport/src/SingleLogoutFailed/SingleLogoutFailed.tsx Outdated Show resolved Hide resolved
web/packages/teleport/src/services/websession/websession.ts Outdated Show resolved Hide resolved
web/packages/teleport/src/services/websession/websession.ts Show resolved Hide resolved
@rudream rudream requested a review from gzdunek June 19, 2024 18:09
@gzdunek
Copy link
Contributor

gzdunek commented Jun 20, 2024

Actually... wouldn't it be simpler if the logout handler in the web api redirected the user to the SLO URL automatically?

I feel like doing this on the frontend side has many downsides: we need to pass the user context to logout, the activity checker no longer can live in Authenticated, plus that issue with expired/invalid session.

@rudream rudream force-pushed the yassine/saml-slo branch 2 times, most recently from fa86531 to 029343e Compare June 21, 2024 07:03
@rudream
Copy link
Contributor Author

rudream commented Jun 21, 2024

wouldn't it be simpler if the logout handler in the web api redirected the user to the SLO URL automatically?

@gzdunek This is a good idea and I've implemented it. I couldn't get http.Redirect to work because I would get an unsafe attempt to load URL error since it's trying to redirect to an external website under a different domain and port, so the redirect URL is instead just returned in the response instead and the WebUI performs the redirect, which is still cleaner than using UserContext. I've tested it with Okta, Auth0, and Keycloak.

@rudream rudream requested a review from gzdunek June 21, 2024 07:12
gzdunek
gzdunek reviewed Jun 21, 2024
View reviewed changes
Copy link
Contributor

@gzdunek gzdunek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the decision to get rid of samlSloUrl from the user context was good, the frontend code is much simpler now.
I left some comments, but I'd appreciate more reviews on this (from folks having more experience with auth).

web/packages/teleport/src/SingleLogoutFailed/SingleLogoutFailed.tsx Show resolved Hide resolved
web/packages/teleport/src/services/websession/websession.ts Outdated Show resolved Hide resolved
web/packages/teleport/src/services/websession/websession.ts Outdated Show resolved Hide resolved
lib/web/apiserver.go Outdated Show resolved Hide resolved
@gzdunek
Copy link
Contributor

gzdunek commented Jun 21, 2024

One more thought: the activity checker logs the user out of teleport in case of inactivity. Is it an expected behavior that we will also log the user out of IdP?

@rudream
Copy link
Contributor Author

rudream commented Jun 21, 2024

One more thought: the activity checker logs the user out of teleport in case of inactivity. Is it an expected behavior that we will also log the user out of IdP?

Yes, for now this is expected behaviour. I asked Zac and he said he'll ask product and get back to me, it's a simple change in case we want to revert it.

@rudream rudream requested review from gzdunek and codingllama June 21, 2024 16:20
@rudream rudream force-pushed the yassine/saml-slo branch from 72aba06 to 2434364 Compare June 21, 2024 19:10
gzdunek
gzdunek approved these changes Jun 24, 2024
View reviewed changes
Copy link
Contributor

@gzdunek gzdunek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

lib/web/apiserver.go Outdated Show resolved Hide resolved
lib/web/apiserver.go Outdated Show resolved Hide resolved
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from codingllama June 24, 2024 13:39
@rudream rudream force-pushed the yassine/saml-slo branch 2 times, most recently from 78e6727 to b13cb25 Compare June 24, 2024 21:11
@rudream rudream force-pushed the yassine/saml-slo branch 3 times, most recently from a69ea96 to 706e0d0 Compare June 24, 2024 22:48
@rudream rudream force-pushed the yassine/saml-slo branch from 706e0d0 to e32b2b4 Compare June 24, 2024 23:03
@rudream rudream added this pull request to the merge queue Jun 24, 2024
Merged via the queue into master with commit 396a95e Jun 24, 2024
42 checks passed
@rudream rudream deleted the yassine/saml-slo branch June 24, 2024 23:49
@public-teleport-github-review-bot
Copy link

@rudream See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed

@rudream rudream mentioned this pull request Jun 24, 2024
Merged
This was referenced Jun 25, 2024
Merged
Merged
espadolini
espadolini reviewed Jun 26, 2024
View reviewed changes
lib/web/apiserver.go
err = h.logout(r.Context(), w, ctx)
if err != nil {
return nil, trace.Wrap(err)
}

// If the user has SAML SLO (single logout) configured, return a redirect link to the SLO URL.
if user != nil && len(user.GetSAMLIdentities()) > 0 && user.GetSAMLIdentities()[0].SAMLSingleLogoutURL != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

user could be non-nil even with a non-nil returned error depending on how GetUser is implemented, please add a user = nil in the err != nil branch above.

rudream added a commit that referenced this pull request Jun 26, 2024
@rudream
Add support for SAML SLO in the WebUI (#43071)
af5450e
rudream added a commit that referenced this pull request Jun 26, 2024
@rudream
Add support for SAML SLO in the WebUI (#43071)
c920b46
github-merge-queue bot pushed a commit that referenced this pull request Jun 26, 2024
@rudream
Add support for SAML SLO in the WebUI (#43071) (#43449)
f582e41
github-merge-queue bot pushed a commit that referenced this pull request Jun 26, 2024
@rudream
Add support for SAML SLO in the WebUI (#43071) (#43450)
4cf73cb
@gzdunek gzdunek mentioned this pull request Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@espadolini espadolini espadolini left review comments

@gzdunek gzdunek gzdunek approved these changes

@avatus avatus avatus approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 size/md ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add SAML logout endpoint
4 participants
@rudream @gzdunek @espadolini @avatus