SLO Problems

Darren Boss darren.boss at computecanada.ca
Tue Apr 16 09:09:41 EDT 2019 

I'm having no luck with SLO either and it also seems related to CSP
configuration issues.

I was thinking about starting a new thread but I feel like my setup might
be similar to Bob's. We have a fairly new deployment that doesn't have a
huge amount of configuration legacy so should be pretty simple to get SLO
working. I set idp.session.trackSPSessions = true and tried SLO by entering
the the https://myidpurl/idp/profile/Logout
<https://idp.mit.c3.ca/idp/profile/Logout>. After choosing Yes I get the
view that shows the attempt to log out of my test SP was unsuccessful and
see the red x beside the SP EntityId. In the chrome dev tools I see this
error:
Refused to display '
https://myidpurl/idp/profile/PropagateLogout?SessionKey=1' in a frame
because an ancestor violates the following Content Security Policy
directive: "frame-ancestors 'none'".

I had been migrating configuration so I was missing the commented out
configuration for frameoptions and scp. I recently added this to my
idp.properties and tested SLO again
idp.frameoptions = SAMEORIGIN
idp.csp = frame-ancestors 'self';

I also tried with
idp.csp =

No dice and the exact same error messages are displayed in chrome dev
console. I tried with firefox as well and I don't see the red X but SLO
also fails with the console message:
Content Security Policy: Ignoring ‘x-frame-options’ because of
‘frame-ancestors’ directive.
Content Security Policy: The page’s settings blocked the loading of a
resource at https://myidpurl/idp/profile/Logout?execution=e2s2
(“frame-ancestors”).

The only weird thing about my Shibboleth IdP setup is we run it in a Docker
container under Kubernetes. TLS is terminated by the ingress controller
(Nginx reverse proxy) and there is a HAProxy in front of the entire cluster.

On Mon, Apr 15, 2019 at 9:24 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> > >> Refused to load
> > https://www.mail.allisonr.us:4443/idp/profile/SAML2/Redirect/SLO?SAMLRes
> > ponse=... because it does not appear in the frame-ancestors directive of
> the
> > Content Security Policy.
>
> The logout endpoint isn't itself implemented under the denial headers, so
> that doesn't make any sense unless you have unreleased pre-3.4 code in
> web.xml that hadn't been corrected to exclude the SLO paths. That was fixed
> before 3.4.0 was done according to the history in git.
>
> > When I tried to set values in idp.frameoptions and idp.csp to adjust the
> frame
> > options, the values I placed in the properties appears to be ignored.
>
> It does not ignore them, though it's not reloadable.
>
> > There are two other things on my to-do list for desired functionality,
> any
> > pointers on these would also be appreciated:
> > >> Get the SP to notify my application of the logout so it can clear its
> > >> session (I am failing to be able to place a <Notify /> tag in the
> right place)
>
> The right place is wherever its documented to go. I have no memory of
> that, but whatever the schema says and the documentation says is where it
> goes. I don't think it's very strict.
>
> > Adjust the logout process so that, as I see at most of the banks and
> health care
> > sites I visit, the SAML SLO is a series of blank pages ending with a
> page that just
> > says "You are logged out. Please close your browser."
>
> Full frame redirects are a non-starter. That terminates at the first
> broken system. Logout is aso not interoperable, the specification does not
> cover the UI sufficiently to make it work. But propagation is only passably
> acceptable when it's done with frames, and that means the IdP has to
> control the UI, and SP to IdP is the only full window redirect expected
> within the UI implemented by these two software products. The SP is more
> agnostic about it, but it works well enough because there is no particular
> UI implemented in it anyway and it clears its own state first before giving
> up control.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 

*Darren Boss*
*Senior Programmer/Analyst*
*Programmeur-analyste principal*
*darren.boss at computecanada.ca <darren.boss at computecanada.ca>*
*(o) 416.228.1234 x *230
*(c) 919.525.0083*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190416/6f798e57/attachment.html>

More information about the users mailing list