SAML SLO #1431
Assignees
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related Issues
(rancher/rancher#38494
https://jira.suse.com/browse/SURE-3572
Summary
Implemented SAML SLO
Details
Root Cause
A change request to support logging a User out of the session held by the configured external auth provider (EAP), and thus out of all applications, instead of just out of Rancher itself. This last meant that when logging back into Rancher the still-open session in the EAP allowed for quick login, without having to run through full authentication again. Confusing several users which expected to fully re-authenticate. Despite the notification on regular logout that the EAP session may be retained.
What was fixed, or what change have occurred
Several, not all, EAP now support an LogoutAll option and action.
The supporting EAP are the SAML variants on offer.
Note that the following changes are in the Dashboard, not in the Backend.
Supporting LogoutAll means that when such an EAP is configured and activated the Admin
can configure the checkboxes
LogoutAllEnabled and
LogoutAllForced.
Checking LogoutAllEnabled causes the UI to offer the user the choice between regular logout and logout all.
Additionally checking LogoutAllForced causes the UI to not offer regular logout anymore, only logout all.
And as the sole choice no actual choice is offered to the user. Logout is logout all.
Note that Forced cannot be checked if Enabled is not checked.
The backend sees these configuration flags as well and will react with errors should the dashboard try to
invoke logout all when not enabled.
invoke logout when logout all is forced.
The text was updated successfully, but these errors were encountered: