First Last Prev Next    This bug is not in your last search results.
Bug 53436 - UMC SSO Logout: UMC/Portal session is not invalidated on SingleLogout
UMC SSO Logout: UMC/Portal session is not invalidated on SingleLogout
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-0-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-11 15:55 CEST by Erik Damrose
Modified: 2021-08-18 17:13 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
SAML tracer log of logout process (42.45 KB, application/json)
2021-06-11 15:55 CEST, Erik Damrose 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2021-06-11 15:55:35 CEST 
Created attachment 10747 [details]
SAML tracer log of logout process

If UMC/Portal is part of a SingleLogout request chain from a browser, the user is not correctly logged out of the Portal.

Scenario:
4.4-8 errata983, nextcloud app

Log into Portal via SSO, click nextcloud tile on portal, log into nextcloud via SSO. Now Click logout button in nextcloud. The SingleSignOn session at the UCS IdP is ended, user is logged out of nextcloud

Part of the SingleLogout process in SAML is a redirect to all service providers the user currently has a session for. The user is redirected to the portal logout endpoint and back to the IdP, but when refreshing the portal, the user still has a valid session with the default UMC cookies

Expected result: UMC session and session cookies are removed when the UMC SAML logout endpoint is visited as part of a SingleLogout process.

In the attached SAML tracer log (ff addon), one can see that upon returning from /univention/saml/slo to the IdP, the SAML message contains

<samlp:StatusMessage>Wrong user</samlp:StatusMessage>
Comment 1 Florian Best univentionstaff 2021-08-09 12:34:28 CEST 
    Bug #53436: fix third party SP initiated SAML Logout
    
    A SAML LogoutRequest must already remove the local session. The SAML
    LogoutResponse can only be used to finally redirect the user to some
    logout page.

univention-management-console.yaml
b9a032290381 | Bug #53436: fix third party SP initiated SAML Logout

univention-management-console (12.0.12-10)
b9a032290381 | Bug #53436: fix third party SP initiated SAML Logout
Comment 2 Dirk Wiesenthal univentionstaff 2021-08-18 12:33:27 CEST 
OK: Nextcloud logout nullifies portal login status
OK: YAML
OK: Codechange
Comment 3 Philipp Hahn univentionstaff 2021-08-18 17:13:40 CEST 
<https://errata.software-univention.de/#/?erratum=5.0x70>
First Last Prev Next    This bug is not in your last search results.