Help with Single Sign Out/Single Log Out

[Nick Couchman <ni...@gmail.com>]

Hey, everyone,
I'm looking at implementing the Single Sign Out/Single Log Out in the CAS,
OpenID, and Header modules, and need a little guidance in the best way to
accomplish this.  For each of these modules, it seems like the way to
accomplish the SLO functionality is to redirect the user to a logout page
for the given IDP.  I'm just having a little trouble figuring out where and
how to accomplish it.

My thought is that the place to do this would be in the invalidate() method
within the various implementations of the AuthenticatedUser in the
modules.  However, most of the redirection to other places for
authentication is handled by throwing exceptions that are then translated
by the AngularJS application to redirect.  However, the current
implementation of invalidate() doesn't include the specification to throw
exceptions, so that's not going to work out of the box.

The other option would seem to be to generate an HttpServletResponse that
can redirect the client, but I can't pull this out of thin air and don't
seem to be able to figure out where to make it come from.

Suggestions on what direction I should look in?  Is this something that
should work by writing something simple in the invalidate() method, or do I
need to be looking at retooling the API and/or guacamole-ext stuff a little
bit to allow this functionality?

Thanks - Nick

Re: Help with Single Sign Out/Single Log Out

[Nick Couchman <vn...@apache.org>]

>
> I think this can be accomplished with what is already present. It depends
> on what must happen during logout, though. Depending on the needs of the
> IDP, there are two sides to single logout that may come into play:
>
> 1) Notifying the IDP that the user has logged out. If the IDP or use case
> requires this sort of thing, and there is some sort of endpoint which must
> be used to notify the IDP that the user has logged out, then a server-side
> request to that endpoint within invalidate() is exactly what would need to
> be done.
>

I think in most cases we actually want to redirect, not just notify, so I'm
guessing just doing a server-side call isn't necessarily going to be the
way to go, unfortunately.


>
> 2) Cosmetically redirecting the user away from Guacamole and to some other
> URL. There is a "guacLogout" event broadcast by the authentication service
> which is tempting:
>
>
> https://github.com/apache/guacamole-client/blob/fd2198d62bd5181c6a193dbcedc401823e0fbabe/guacamole/src/main/webapp/app/auth/service/authenticationService.js#L293-L294
>
> But that fires before the token is invalidated, and there is a different
> redirect that takes place after the logout() call succeeds:
>
>
> https://github.com/apache/guacamole-client/blob/a1e6db170f286882670957e1e127cae061096bb3/guacamole/src/main/webapp/app/navigation/directives/guacUserMenu.js#L145-L148
>
> I think we would need to split that event up a bit - adding a
> "guacBeforeLogout" to replace what is currently "guacLogout", moving
> "guacLogout" such that it fires after the logout request has completed, and
> moving the redirect into default handling which takes effect if
> preventDefault() for "guacLogout" is not set. The behavior upon logout
> could then be overridden by adding an event handler for "guacLogout".
>
>
I opened a JIRA issue and submitted a PR for this, so hopefully it looks
okay and takes care of this.


> The problem then becomes exposing the configured redirect URL for
> consumption by the overridden logout handling.
>
>
What about overriding the LOGOUT_ACTION or providing some sort of parameter
for it that specifies what the URL should be when the logout occurs:

https://github.com/apache/guacamole-client/blob/a1e6db170f286882670957e1e127cae061096bb3/guacamole/src/main/webapp/app/navigation/directives/guacUserMenu.js#L156-L159

I'm not entirely sure how to do this and allow the module to push the
configuration, but I can work on figuring that out...

-Nick

Re: Help with Single Sign Out/Single Log Out

[Mike Jumper <mj...@apache.org>]

On Sat, Dec 15, 2018 at 12:39 PM Nick Couchman <ni...@gmail.com>
wrote:

> Hey, everyone,
> I'm looking at implementing the Single Sign Out/Single Log Out in the CAS,
> OpenID, and Header modules, and need a little guidance in the best way to
> accomplish this.  For each of these modules, it seems like the way to
> accomplish the SLO functionality is to redirect the user to a logout page
> for the given IDP.  I'm just having a little trouble figuring out where and
> how to accomplish it.
>
> My thought is that the place to do this would be in the invalidate() method
> within the various implementations of the AuthenticatedUser in the
> modules.  However, most of the redirection to other places for
> authentication is handled by throwing exceptions that are then translated
> by the AngularJS application to redirect.  However, the current
> implementation of invalidate() doesn't include the specification to throw
> exceptions, so that's not going to work out of the box.
>
> The other option would seem to be to generate an HttpServletResponse that
> can redirect the client, but I can't pull this out of thin air and don't
> seem to be able to figure out where to make it come from.
>
> Suggestions on what direction I should look in?  Is this something that
> should work by writing something simple in the invalidate() method, or do I
> need to be looking at retooling the API and/or guacamole-ext stuff a little
> bit to allow this functionality?


I think this can be accomplished with what is already present. It depends
on what must happen during logout, though. Depending on the needs of the
IDP, there are two sides to single logout that may come into play:

1) Notifying the IDP that the user has logged out. If the IDP or use case
requires this sort of thing, and there is some sort of endpoint which must
be used to notify the IDP that the user has logged out, then a server-side
request to that endpoint within invalidate() is exactly what would need to
be done.

2) Cosmetically redirecting the user away from Guacamole and to some other
URL. There is a "guacLogout" event broadcast by the authentication service
which is tempting:

https://github.com/apache/guacamole-client/blob/fd2198d62bd5181c6a193dbcedc401823e0fbabe/guacamole/src/main/webapp/app/auth/service/authenticationService.js#L293-L294

But that fires before the token is invalidated, and there is a different
redirect that takes place after the logout() call succeeds:

https://github.com/apache/guacamole-client/blob/a1e6db170f286882670957e1e127cae061096bb3/guacamole/src/main/webapp/app/navigation/directives/guacUserMenu.js#L145-L148

I think we would need to split that event up a bit - adding a
"guacBeforeLogout" to replace what is currently "guacLogout", moving
"guacLogout" such that it fires after the logout request has completed, and
moving the redirect into default handling which takes effect if
preventDefault() for "guacLogout" is not set. The behavior upon logout
could then be overridden by adding an event handler for "guacLogout".

The problem then becomes exposing the configured redirect URL for
consumption by the overridden logout handling.

- Mike