Upon OS Sign out execute SAML logout url
Reported by
j...@healthenrollment.org,
Apr 4 2018
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 10323.62.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.184 Safari/537.36 Platform: 10323.62.0 (Official Build) stable-channel rikku Steps to reproduce the problem: 1. Sign in using SAML login 2. Sign out of the OS using either the red Sign Out button or using the user avatar on the bottom right of the tray and the selecting signout 3. What is the expected behavior? Since this is a SAML IDP login the specified logout URL of the SAML third party should be executed or have a policy that allows to execute a script upon sign out. What went wrong? No SAML Logout URL is executed Did this work before? No Chrome version: 65.0.3325.184 Channel: stable OS Version: 10323.62.0 Flash Version: 29.0.0.113
,
Apr 9 2018
Lutz, this should live on your team. I'm not familiar enough with SAML.
,
Apr 17 2018
Specifying an arbitrary JS script that's executed upon sign out sounds a little scary. I'm concerned that admins or hackers could abuse that in creative ways. Calling the SAML logout endpoint is more feasible. Does it mean you'd have to force online login? What would happen if you're offline when you sign back in, e.g. when you're in a tunnel on a train?
,
Apr 17 2018
When using the SAML login it redirects online anyways to the remote login page. I think it should handle it accordingly. As of now nothing happens. If the device is online hit the SAML logout url. If device not online and already logging out handle as is. As for a script executing, we are able to leverage that ability on signon with SAML idp pages and use the chromium user.js file. I think as an enterprise feature this can be handled by admin controlling what is executed but ultimately we just need to hit the already configured google SAML logout url that is defined just as the login one is.
,
May 11 2018
,
May 30 2018
can we get some feedback on this? Would like to have the signout action hit the SAML logout url defined in the the policies
,
May 30 2018
Re forcing online login: AFAIK even with SAML enabled, you'd normally do an offline login. However, there's a policy "SAMLOfflineSigninTimeLimit" that, if set to 0, should always enforce an online login. Hitting a URL on signout is technically tricky since Chrome OS doesn't do a very clean shutdown and tries to exit as quickly as possible. Thus, trying to do something that might take a long time during shutdown might be hard. For instance, Chrome is killed after 3 seconds by some system daemon if it hasn't shut down yet. Not saying it's impossible, but it's also not trivial. What's the use case? Do you have to make sure tokens are revoked on sign-out for security reasons?
,
May 30 2018
Exactly. I autosign the user into our application but I set their status on that login. Once the user signs out the system that minutos the users status believes they are signed in. The logout url is an async queue regardless so if it can just hit that url by a curl command or shell clean up script maybe even the deamon that exits chrome and moves on that should do the trick. It would then force the user status to be logged out and I can handle proper expiration of tokens etc. I believe this to be an important process which is why saml has a logout url. Enterprise should hit this url based on it being set on the policies.
,
May 30 2018
System that monitors**
,
Jun 26 2018
,
Aug 23
,
Sep 18
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by j...@leadtrust.io
, Apr 5 2018