Send SLO requests only to SP with sessions

[S43534]

Hey,

great package - it really gets the job done in a very complex topic!

I have a project with ~20 SPs. When logging out with SLO a request is sent to each SP in LogoutController. That takes quite some time, and also fails with "too many redirects".
I think the specification of SAML specifies that the SLO request should be sent only to SPs that have an active session. Is that right, and could that be implemented? How can I access the active sessions?

Thanks!
Sebastian

[upwebdesign]

Im not sure if this is what is intended with SLO. 20 SP's is quite a lot and I can see why it takes a while to get through them all. Even if there was a mechanism that could determine which SP's have an active session, what if all 20 have an active session? Same problem. Im not sure how to handle 20 SP's. Maybe abandon SLO altogether and set your session timeouts to an hour. That way the user will be logged out after one hour of inactivity. Should they try to do another action at the SP, SAML will kick in and log them back in. 🤷‍♂️

[SebastianSchoeps]

In this case it's a portal with different projects. Each project has a separate Nextcloud instance attached. So the user has an account at every Nextcloud instance for each of the projects he is a member of. So I wouldn't say that it is too uncommon. However, it will be uncommon that he is connected to every of the projects, so that SLO has to handle 20 SP's should not happen.
If a user logs on in a SP, there is a request to the IdP, isn't that the case? So the IdP should know about the sessions.
Also, as I understand the SAML specification, that's how it s supposed to work: only logout from the SP's that the user has visited (and not all SP's).

[upwebdesign]

@SebastianSchoeps can you cite the SAML specification? Provide a link?

Also, as I understand the SAML specification, that's how it s supposed to work

Also, I am open to suggestions on how this might work. I never really thought about this as I have never had to connect to more than 3 SP's. I suppose a cache could work as a storing mechanism. Thoughts?

[SebastianSchoeps]

First of all, thanks for your investment and being open to this! That's not taken for granted.

If you google "SAML SLO" what comes up pretty soon is https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout. In step 3 it says "Upon receiving a logout request, the IdP first identifies all other SPs that are part of the current session".
The official specs are at http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline.

My initial thought was also in the direction of caching. I am not to deep into SAML, but something like this: whenever a SP sends a login request to the IdP (and it is successful), the SP is stored for this user. When a SLO request comes, the IdP doesn't loop over all known SP's, but only over the ones from the cache. What do you think?