New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple callback urls #316
Conversation
Could you update the documentation as well? |
This comment is more like proactive warning for anyone who spots this feature from changelog and start to utilize it. node-saml (and passprot-saml) supports at the moment implementation of SAML 2.0 Web SSO profile. Web SSO profile defines 2 bindings for ACS endpoint (HTTP POST and HTTP Artifact, see SAML 2.0 Profiles spec lines 421-425 and 483-502). Furthermore node-saml (and passport-saml) supports at the moment only HTTP POST binding for ACS. "Normally" one would use multiple AssertionConsumerService elements to list endpoints for different bindings (SAML 2.0 Web SSO profile is a bit unclear about this i.e. it can also be interpreted so that different domains are allowed. See SAML 2.0 Profile spec lines 629-633). Since node-saml (and passport-saml) support only one binding (HTTP POST) for ACS the only use case for this PR's feature would be to introduce endpoints with different domain names (and new testcase provided by this PR indicates that author of PR is going to use this to list ACS behing different domain names). So far so good (spec seems to allow that), but... Consider long and hard before starting to list ACS for different domain names IF you must support also single logout. At the moment node-saml (and passport-saml) implementation allows listing only one SingleLogoutService endpoint (and binding is fixed to HTTP POST) to metadata generated by node-saml's metadata generator. Spec allows multiple SingleLogoutService endpoints (see SAML 2.0 metadata spec lines 652-654 and SAML 2.0 profile spec lines 1311-1316) into SP metadata (for supported SLO callback bindings). When SP has triggered SLO and when IdP finally forwards user back to SP after SLO propagation has ended IdP must select proper callback address according to rules at SAML 2.0 Profiles spec lines 1282-1289. So IdP may select any of the listed endpoints. If one has defined multiple SLS endpoints to SP metadata with different domains there is no way to know that IdP forwards user agent into service that is at the same domain name as user was when user clicked logout button. From IdP initiated SLO point of view IdP would select some of the SP's single logout service endpoints (see SAML 2.0 profile spec lines 1245-1252) to propagate SLO. From SAML 2.0 point of view it doesn't matter whether domain is different - think session cookies - because SAML 2.0 processing rules define that SP must be able to terminate session based on nameid and optional sessionindex that is provided in LogoutRequest message (without using any additional information e.g. from cookies, see SAML 2.0 Core spec SLO processing rules, lines 2589-2616) but at least one SP implementation - passport-saml - doesn't work properly see node-saml/passport-saml#419. |
One more note (in addition to previous ones): |
This is the correct solution. You simply pass difference configuration data to the routines that generate the metadata based on the domain the request for metadata is coming from and everything works like it should. This is the method I've used in the past. |
@srd90 , I can't express enough how much I appreciate your involvement with this project. I've spent a little time reviewing our previous discussions on this matter, specifically your comment and I see that, while If I'm misunderstanding things, please help me to see where my comprehension fails me. Otherwise, I think it is important that we make sure we're stating clearly, not that SLO is broken, but that it isn't supported OOTB, just like the README says. If the README is wrong in this sensitive area, we certainly want to correct it. |
Not sure if it is better to discuss this here or in the issue. @srd90 is right my use case would be that I have one endpoint to get the metadata of my SP which supports a domain wide login to different services, each on their own subdomain. And most of the users configure their IdP manually anyway, so this normally isn't an issue. (I already had implemented, what you also suggested, that calling the But I thought it would be nice if the user could just take the metadata file and upload it to their IdP. I can see that this isn't the main usecase for But I can also see that this might be a niche usecase and if it complicates other things I would be also fine with dropping this PR. |
They can, and that is what I've done. Just have the request for metadata generate the metadata different depending on the domain they hit it from. Or, just make the metadata request path something like |
Is this still an open issue based on the feedback provided @dertieran |
@cjbarth sorry for the delayed response. But if this isn't completely spec compliant or produces other issues I'm also fine to close this PR/Issue. |
@dertieran Are you saying that all those domains would point to the same session store, the same application? i.e. if a SLO request were to hit any of the domains, it would behave just as if it hit any of the other domains? |
Yes, at least for me, these are the same servers, but I don't think they would have to be. Essentially I have a service where the user has one account (and one SSO configuration), but can use different services (depending on the subdomain). But again, feel free to close this if this seems to be a niche use case. |
This is probably why subdomains for shared services are no longer the industry standard for sites sharing a common security context. I might suggest that you have one login domain and allow that token to be used for the other domains if you can't combine the sites. In reality, the biggest reason to use different subdomains is to separate security contexts. What your after is the opposite of that, so I'd say it is niche, so I'll close this. e.g. browse to https://maps.google.com/ and note that you are redirected to https://www.google.com/maps |
Description
Closes #315
This PR adds support for passing multiple callback urls to generate multiple
AssertionConsumerService
properties.Right now this is done by supporting passing an
string[]
instead of just astring
for thecallbackUrl
.Not sure if this is the cleanest solution or if this should be done through another option, something more like
additionalCallbackUrls
.Checklist: