Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidating session doesn't work #97

Open
prajith-nair opened this issue Jun 13, 2022 · 1 comment
Open

Invalidating session doesn't work #97

prajith-nair opened this issue Jun 13, 2022 · 1 comment

Comments

@prajith-nair
Copy link

We have configured Google SAML to perform SSO for our app. Enabled MellonEnabledInvalidateSessionEndpoint On in httpd.conf

<Location />
          #All the below variables are important for Mellon to function as expected.
          MellonSamlResponseDump On
          # Mellon Config for Google SAML App
          MellonVariable "cookie"
          #If this functionality is enabled, invalidate the session by calling the endpoint "/invalidate?ReturnTo=".
          MellonEnabledInvalidateSessionEndpoint On
          MellonSecureCookie on
          # session cookie duration; 43200(secs) = 12 hours
          MellonSessionLength 43200
          MellonUser "NAME_ID"
          MellonSetEnv "e-mail" "mail"
          MellonSPPrivateKeyFile /usr/local/apache2/mod_auth_mellon/google_metadata/mellon.key
          MellonSPCertFile /usr/local/apache2/mod_auth_mellon/google_metadata/mellon.crt
          MellonSPMetadataFile /usr/local/apache2/mod_auth_mellon/google_metadata/mellon_metadata.xml
          MellonIdPMetadataFile /usr/local/apache2/mod_auth_mellon/google_metadata/GoogleIDPMetadata.xml
          # Mellon Config for Customer's Okta SAML App
          MellonIdPMetadataFile /usr/local/apache2/mod_auth_mellon/okta_metadata/idp_metadata.xml
          MellonDiscoveryUrl "https://${HOST_NAME}:${PROXY_EXPOSED_PORT}/idp-discovery.html"
          MellonEndpointPath /mellon
          MellonDefaultLoginPath /
          RequestHeader set X-WEBAUTH-USER "%{MELLON_NAME_ID}e"
</Location>

Redirect "/logout" "/mellon/invalidate?ReturnTo=https://${HOST_NAME}:${PROXY_EXPOSED_PORT}/"

The flow works as expected, when user clicks on "Logout" from UI, user is redirected to

https://my.domain.com:10020/idp-discovery.html?ReturnTo=https://my.domain.com:10020/

However, when user clicks on "Login" from above location, they are authenticate and allowed to login.

mellon-cookie seems to be activate as its not affected by /mellon/invalidate

Any thoughts?
@thijskh
Copy link

thijskh commented Jan 11, 2023

Are you sure you're not just seeing Single Sign On behaviour from the IdP? That is, the mellon session is indeed invalidate, you are redirected to the IdP again but this IdP has Single Sign On so you're immediately redirected back to the SP and get a new session? You can confirm this with the SAML Tracer browser plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thijskh @prajith-nair