Univention Bugzilla – Bug 53436
UMC SSO Logout: UMC/Portal session is not invalidated on SingleLogout
Last modified: 2021-08-18 17:13:40 CEST
Created attachment 10747 [details] SAML tracer log of logout process If UMC/Portal is part of a SingleLogout request chain from a browser, the user is not correctly logged out of the Portal. Scenario: 4.4-8 errata983, nextcloud app Log into Portal via SSO, click nextcloud tile on portal, log into nextcloud via SSO. Now Click logout button in nextcloud. The SingleSignOn session at the UCS IdP is ended, user is logged out of nextcloud Part of the SingleLogout process in SAML is a redirect to all service providers the user currently has a session for. The user is redirected to the portal logout endpoint and back to the IdP, but when refreshing the portal, the user still has a valid session with the default UMC cookies Expected result: UMC session and session cookies are removed when the UMC SAML logout endpoint is visited as part of a SingleLogout process. In the attached SAML tracer log (ff addon), one can see that upon returning from /univention/saml/slo to the IdP, the SAML message contains <samlp:StatusMessage>Wrong user</samlp:StatusMessage>
Bug #53436: fix third party SP initiated SAML Logout A SAML LogoutRequest must already remove the local session. The SAML LogoutResponse can only be used to finally redirect the user to some logout page. univention-management-console.yaml b9a032290381 | Bug #53436: fix third party SP initiated SAML Logout univention-management-console (12.0.12-10) b9a032290381 | Bug #53436: fix third party SP initiated SAML Logout
OK: Nextcloud logout nullifies portal login status OK: YAML OK: Codechange
<https://errata.software-univention.de/#/?erratum=5.0x70>