Univention Bugzilla – Bug 53638
[4.4] UMC SSO Logout: UMC/Portal session is not invalidated on SingleLogout
Last modified: 2021-08-25 17:46:55 CEST
Backport to UCS 4.4: +++ This bug was initially created as a clone of Bug #53436 +++ If UMC/Portal is part of a SingleLogout request chain from a browser, the user is not correctly logged out of the Portal. Scenario: 4.4-8 errata983, nextcloud app Log into Portal via SSO, click nextcloud tile on portal, log into nextcloud via SSO. Now Click logout button in nextcloud. The SingleSignOn session at the UCS IdP is ended, user is logged out of nextcloud Part of the SingleLogout process in SAML is a redirect to all service providers the user currently has a session for. The user is redirected to the portal logout endpoint and back to the IdP, but when refreshing the portal, the user still has a valid session with the default UMC cookies Expected result: UMC session and session cookies are removed when the UMC SAML logout endpoint is visited as part of a SingleLogout process. In the attached SAML tracer log (ff addon), one can see that upon returning from /univention/saml/slo to the IdP, the SAML message contains <samlp:StatusMessage>Wrong user</samlp:StatusMessage>
Bug #53638: fix third party SP initiated SAML Logout A SAML LogoutRequest must already remove the local session. The SAML LogoutResponse can only be used to finally redirect the user to some logout page. univention-management-console.yaml d239e234dc40 | Bug #53638: fix third party SP initiated SAML Logout univention-management-console (11.0.6-15) d239e234dc40 | Bug #53638: fix third party SP initiated SAML Logout
OK: Nextcloud logout nullifies portal login status OK: YAML OK: Codechange
<https://errata.software-univention.de/#/?erratum=4.4x1035>