Release date for 3.1.0

Tue Mar 10 09:52:17 EDT 2020

We are doing a SAML Logout (front channel - redirect )
We own the identity provider, the Service provider is run by a 3rd party we're helping. They support sessions from outside of shibboleth, as well as our federated ones, and so have an independent application session. They use the Notify function in Shibboleth to ensure their session is removed when SLO logout is started at the identity provider.

Before the samesite changes:
1. User it sent to (in the iframe):  "/Shibboleth.sso/SLO/Redirect?SAMLRequest=..."
This gets the NameID in the request *and sees* the Shibboleth session cookie.
2. This then redirects the browser (still in the iframe) to location defined in the Notify section of Shibboleth
it can clean up the application cookies that are independent of Shibboleth.
When that script has completed it redirects to "/Shibboleth.sso/SLO/Redirect?notifying=1&index=1&ID=_{guid}.&relayState={IDP-URL}...."
3. Shibboleth clears the _shibsession cookie and then redirects back to the identity provider with a good logout status  "...binding=redirect&SAMLResponse=..."

Afterwards when you go to Shibboleth.sso/Session you see "A valid session was not found." and the 3rd party application is completely logged out

After the same site behaviour in chrome 80:
1.  As before we go to /Shibboleth.sso/SLO/Redirect?SAMLRequest=...
This gets the NameID in the request *but no longer sees* the Shibboleth session cookie.
2.  It bypasses the notify section and redirects directly back to the identity provider with a good logout status  "...binding=redirect&SAMLResponse=..." (No cookies changed)

When you go to Shibboleth.sso/Session you see "Exception while retrieving active session: Your Session has expired you must re-authenticate."
But now as the Notify script wasn't called; the 3rd party doesn't clear its own session data and you are left logged in.

I assume that the fix in 3.1.0 would fix this if you're requiring the _shibsession cookie to send the user to the Notify location?

Regards,

Paul

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: 05 March 2020 19:58
To: Shib Users <users at shibboleth.net>
Subject: RE: Release date for 3.1.0

CAUTION: This email originated from outside of RM. Do not click links or open attachments unless you recognise the sender and know the content is safe.

> The SP looks up the session based on the NameID alone. The cookie is
> cross checked if it's there but not if it isn't.

It occurred to me when logging into something with a SameSite bug that what you really meant is that you're not doing a SAML logout. The proprietary endpoint should never be used by an IdP but if you're misusing it  to do a logout remotely, yes, it does require the cookie there for obvious reasons.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=QBQnBADTkHi11eP-cEJc_w&r=j11EXA79ztEEyfseWz2YOw&m=H5UL3a7R0E-JAPxIjJThCMYu32-VXJHh0BrNJ0TN170&s=60UxljHlkpfcP_Yvg0kG8JRksdmKiOAqReQoOudZhB0&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
This message is confidential and should not be copied or disclosed to anyone. If this email has come to you in error, please delete it, along with any attachments. Any views or opinions presented are only those of the author and not those of RM. RM accepts no liability for any loss or damage which may be caused by software viruses and it is your responsibility to ensure that this email and any attachments are free of viruses when you receive it. You may use and apply this email and the information contained in it for the intended purpose only and RM shall not be liable in any way in respect of use for any other purpose. In respect of all other matters, to the fullest extent permitted by applicable law, RM disclaims all responsibility and liability for the contents of this email (including any attachments). Please note that RM may intercept incoming and outgoing email communications.

RM Education Ltd (Reg. No: 01148594) is a company registered in England and Wales with its registered office at 142B Park Drive, Milton Park, Abingdon, Oxon OX14 4SE; VAT No: GB 630 8236 56.