[
https://issues.apache.org/jira/browse/GUACAMOLE-1266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426431#comment-17426431
]
Nick Couchman commented on GUACAMOLE-1266:
------------------------------------------
[~ilbron]: While I certainly understand wanting to having this feature, I
disagree that lack of this makes Guacamole + SAML (or CAS or OpenID) "unusable"
for security reasons. There are at least two, if not three, mechanisms in place
that make this a perfectly usable configuration even with out Single Sign
Out/Single Log Out (SLO):
* Guacamole has its own session limit - by default 60 minutes - at which point
Guacamole will forcibly re-authenticate with the SSO IdP, insuring that the
user is still supposed to be signed in.
* Add to this the fact that, when you do go to the menu and select "Log out" in
Guacamole, this essentially forces a re-authentication to the SSO IdP (similar
to the session expiring - it just happens on-demand)
* Most SSO providers have some sort of limitation on how long the session can
be before a user is forced to re-authenticate. I see this in practice in my
#DayJob with both ADFS (SAML) and AWS (SAML). With ADFS, I can leave my browser
open and stay on a certain site that is SAML-integrated (Service Now, for
example), and, at some point in less than 24 hours if I try to either re-visit
the Service Now page or another SAML-integrated page, I'm forced back to the
ADFS login page and have to sign in. Similarly with AWS, I deal with an SSO
configuration that gives me access to multiple AWS accounts, and within a few
hours during the day if I try to do something on one of those accounts, I get
an error that my login has expired and I'm sent back to the AWS SSO login page.
In neither of these cases does this have _anything_ to do with the ability to
go to a menu and click "Log out" and have it sign me out of both the Service
Provider and the Identity Provider.
In fact, as I was thinking through this, of the dozens of sites in my #DayJob
that I use that are SAML-integrated, I can think of exactly zero that leverage
the Single Sign/Log Out functionality - on most of them, if there even is a
"Log Out" menu option, it simply pushes me back to the ADFS Login Page, which,
if my SSO session is still valid, just logs me back in to the Service Provider
with a new page, as if I had just refreshed the page. Which is exactly how
Guacamole currently behaves.
Don't get me wrong - my point here is not that we won't do this, or that I
don't think it's a good idea to have SLO functionality - just that this isn't
necessarily all that uncommon, nor do I see security risks in it that make
Guacamole "unusable" in this configuration. The session validation mechanisms
that are in place, both on the IdP and within Guacamole, handle security at an
acceptable level, even if the behavior isn't ideal.
> Implement SAML Single Logout
> ----------------------------
>
> Key: GUACAMOLE-1266
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1266
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole
> Reporter: Michael Miklis
> Priority: Minor
>
> The SAML Authentication Extension does not seem to have a logout function
> built in. This will result in a loop. Steps to reproduce:
> * connect to guacamole ULR
> * Automatic redirect to IDP Signin Page happens
> * login via SAML IDP to Guacamole
> * Click Logoff in Guacamole
> * Redirect to Guacamole Start-Page happens
> * Redirect to IDP Signin Page
> * User gets signed in automatically as the session on the IDP is still
> existing
>
> The correct behaviour must be:
> * connect to guacamole ULR
> * Automatic redirect to IDP Signin Page happens
> * login via SAML IDP to Guacamole
> * Click Logoff in Guacamole
> * *Redirecting to configured IDP Logoff URL*
> * *IDP destroys session and redirects to Guacamole start page*
> * Redirect to IDP Signin Page
> * User gets signed in automatically as the session on the IDP is still
> existing
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
