mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 21:07:31 +00:00
feat: federated logout for SAML IdPs (#9931)
# Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
This commit is contained in:
Livio Spring
@@ -21,6 +21,7 @@ import (
|
||||
"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/handler"
|
||||
"github.com/zitadel/zitadel/internal/command"
|
||||
"github.com/zitadel/zitadel/internal/domain"
|
||||
"github.com/zitadel/zitadel/internal/domain/federatedlogout"
|
||||
"github.com/zitadel/zitadel/internal/query"
|
||||
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
||||
"github.com/zitadel/zitadel/internal/user/model"
|
||||
@@ -236,6 +237,11 @@ func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken
|
||||
}
|
||||
|
||||
func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID string) (err error) {
|
||||
_, err = o.terminateSession(ctx, userID)
|
||||
return err
|
||||
}
|
||||
|
||||
func (o *OPStorage) terminateSession(ctx context.Context, userID string) (sessions []command.HumanSignOutSession, err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() {
|
||||
err = oidcError(err)
|
||||
@@ -244,22 +250,22 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
|
||||
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
||||
if !ok {
|
||||
logging.Error("no user agent id")
|
||||
return zerrors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
|
||||
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
|
||||
}
|
||||
sessions, err := o.repo.UserSessionsByAgentID(ctx, userAgentID)
|
||||
sessions, err = o.repo.UserSessionsByAgentID(ctx, userAgentID)
|
||||
if err != nil {
|
||||
logging.WithError(err).Error("error retrieving user sessions")
|
||||
return err
|
||||
return nil, err
|
||||
}
|
||||
if len(sessions) == 0 {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
data := authz.CtxData{
|
||||
UserID: userID,
|
||||
}
|
||||
err = o.command.HumansSignOut(authz.SetCtxData(ctx, data), userAgentID, sessions)
|
||||
logging.OnError(err).Error("error signing out")
|
||||
return err
|
||||
return sessions, err
|
||||
}
|
||||
|
||||
func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionRequest *op.EndSessionRequest) (redirectURI string, err error) {
|
||||
@@ -294,7 +300,16 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
|
||||
// So if any condition is not met, we handle the request as a V1 request and do a (v1) TerminateSession,
|
||||
// which terminates all sessions of the user agent, identified by cookie.
|
||||
if endSessionRequest.IDTokenHintClaims == nil || endSessionRequest.IDTokenHintClaims.SessionID == "" {
|
||||
return endSessionRequest.RedirectURI, o.TerminateSession(ctx, endSessionRequest.UserID, endSessionRequest.ClientID)
|
||||
sessions, err := o.terminateSession(ctx, endSessionRequest.UserID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if len(sessions) == 1 {
|
||||
if path := o.federatedLogout(ctx, sessions[0].ID, endSessionRequest.RedirectURI); path != "" {
|
||||
return path, nil
|
||||
}
|
||||
}
|
||||
return endSessionRequest.RedirectURI, nil
|
||||
}
|
||||
|
||||
// V1:
|
||||
@@ -305,6 +320,9 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if path := o.federatedLogout(ctx, endSessionRequest.IDTokenHintClaims.SessionID, endSessionRequest.RedirectURI); path != "" {
|
||||
return path, nil
|
||||
}
|
||||
return endSessionRequest.RedirectURI, nil
|
||||
}
|
||||
|
||||
@@ -317,6 +335,39 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
|
||||
return v2PostLogoutRedirectURI(endSessionRequest.RedirectURI), nil
|
||||
}
|
||||
|
||||
// federatedLogout checks whether the session has an idp session linked and the IDP template is configured for federated logout.
|
||||
// If so, it creates a federated logout request and stores it in the cache and returns the logout path.
|
||||
func (o *OPStorage) federatedLogout(ctx context.Context, sessionID string, postLogoutRedirectURI string) string {
|
||||
session, err := o.repo.UserSessionByID(ctx, sessionID)
|
||||
if err != nil {
|
||||
logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "sessionID", sessionID).
|
||||
WithError(err).Error("error retrieving user session")
|
||||
return ""
|
||||
}
|
||||
if session.SelectedIDPConfigID.String == "" {
|
||||
return ""
|
||||
}
|
||||
identityProvider, err := o.query.IDPTemplateByID(ctx, false, session.SelectedIDPConfigID.String, false, nil)
|
||||
if err != nil {
|
||||
logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "idpID", session.SelectedIDPConfigID.String, "sessionID", sessionID).
|
||||
WithError(err).Error("error retrieving idp template")
|
||||
return ""
|
||||
}
|
||||
if identityProvider.SAMLIDPTemplate == nil || !identityProvider.FederatedLogoutEnabled {
|
||||
return ""
|
||||
}
|
||||
o.federateLogoutCache.Set(ctx, &federatedlogout.FederatedLogout{
|
||||
InstanceID: authz.GetInstance(ctx).InstanceID(),
|
||||
FingerPrintID: authz.GetCtxData(ctx).AgentID,
|
||||
SessionID: sessionID,
|
||||
IDPID: session.SelectedIDPConfigID.String,
|
||||
UserID: session.UserID,
|
||||
PostLogoutRedirectURI: postLogoutRedirectURI,
|
||||
State: federatedlogout.StateCreated,
|
||||
})
|
||||
return login.ExternalLogoutPath(sessionID)
|
||||
}
|
||||
|
||||
func buildLoginV2LogoutURL(baseURI *url.URL, redirectURI string) string {
|
||||
baseURI.JoinPath(LogoutPath)
|
||||
q := baseURI.Query()
|
||||
|
||||
Reference in New Issue
Block a user