Bug 1529065 - [RFE] SAML logout redirection not working
Summary: [RFE] SAML logout redirection not working
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.7.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: GA
: 5.11.0
Assignee: John Hardy
QA Contact: Mike Shriver
URL:
Whiteboard: auth:saml
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-26 08:55 UTC by Prasad Mukhedkar
Modified: 2019-07-02 17:56 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-02 17:56:36 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Prasad Mukhedkar 2017-12-26 08:55:20 UTC 
Description of problem:

Logout redirection not happening upon doing logout from SAML , Cloudforms stays logged in until the open tab is closed. 

Customer has other services configured with keycloack, services including
JIRA, Confluence, Service Desk. All the services configured under the same 
Realm. All the services logging out properly, if you logout from Service Desk, JIRA is also logging out, Cloudforms doesnt logout automatically, one has to close the tab manually.


Version-Release number of selected component (if applicable):
Cloudforms 4.5 
CFME 5.8.1.5

How reproducible:
Always

Steps to Reproduce:

1. Install and configure Cloudforms. 
2. Configure external Authentication, referring this steps  : 

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6-beta/html-single/general_configuration/#saml-assertions

3. Modify the idp-metadata.xml file for SAML logout to work between mod_auth_mellon and Red Hat SSO. step 8.

4. Login to cloudforms dashboard using external authentication, now login to any other services which is same SAML realm as cloudforms, example "Service Now" and "JIRA"

5. Logout from "Service Now", then refresh the tab in which "JIRA" application UI is opened. Notice that you will be automatically logged out from JIRA. 

6. Go to Cloudofrms Tab, hit browser refresh button.


Actual results:
Cloudforms stays logged in unless  'dashaboard' word is removed from URL or the open tab is closed. automatic redirection to logout is not working.


Expected results:
Cloudforms should automatically logout when from SAML signal sign. redirection should pick the logout URL and do the action.


Additional info:
Comment 4 Joe Vlcek 2018-01-02 19:11:34 UTC 
Prasad,

Please find out from the customers what happens when the other applications
are removed from the scenario and only Cloudforms is used. What happens if
the user logs into only Cloudforms, with a single browser tab, then logs
out of Cloudforms?

Is the user correctly directed back to the Cloudforms login page?

JoeV
Comment 6 Matt Pusateri 2018-01-02 19:31:06 UTC 
I'd also like to know what the status of the user's session looks like in the SSO server as well once the user logs out.
Comment 7 Matt Pusateri 2018-01-03 14:54:15 UTC 
setting the needs info for comments 4 & 6
Comment 13 Joe Vlcek 2018-01-08 16:22:47 UTC 
John,

Briefly what the customer wants is to be able to have multiple browser tabs open to
different applications all authenticated via the same SAML account. Once they log off
from all of the applications they want all the application sessions to immediately become invalidated and the user logged off, without having to refresh the tabs.

For us to implement this it could have a performance impact because we would have to
frequently confirm the session.

JoeV
Comment 21 Joe Vlcek 2019-07-02 17:56:36 UTC 
I'm going to close this BZ. It was reported over 2 and a half years ago and has worked correctly since.

If this condition can be reproduced please reopen this or a new BZ.

JoeV
Note You need to log in before you can comment on or make changes to this bug.