Logging out of horizon does not invalidate IdP session

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Horizon should not be accessing the SSO cookie in the browser that was provided by the identity provider. I think that is the expected behavior for security reason and for better UX.

You can think of it this way, you sign-in to SSO to able to access application A, B and C. If the user logs out of application C, is it expected that the user should be able to access application A and B too?

User is not expected to log out of A and B. But user is logged out of C. So next time when he logs in C, he should be asked to authenticate. Both are entirely different.

Consider this example:
     I use Facebook login to login to Groupon and LinkedIn. If I logout of Groupon what should be expected behavior?

Should I be logged out of LinkedIn -- According to me, it is NO. I believe you agree here.
Should I be allowed to login to Groupon without authentication? - The bug is about this case.

I don't believe this is a horizon issue. When the user clicks logout, we invalidate the token in keystone. Keystone should handle the rest. Horizon is intentionally isolated from the idp.

What happens if you log out of Gmail between step 5 and step 6?

Then it is good.

Isn't the websso application scoped? As of now the only way to make this work, is to logout of IDP, besides logging out of horizon

This sounds like the correct behavior (sso still works until you disconnected from gmail).
I've subscribed keystone-coresec to make sure it's the intended behavior (since horizon does invalidate the token in keystone) .

With Gmail, every one knows IDP url and they can logout, but it is not the case for other IDP.

I configured ADFS, and I have absolutely no clue how to logout of ADFS, since I don't know ADFS logout url Does horizon users even know how to logout of the IDP, if they don't know the IDP logout url?

Even with WebSSO, application logout should give user the opportunity to logout of the session altogether. At the very least, we should warn the user the logout of the application may not have any effect on the overall session.

this sounds fine and expected to me.

example with stackoverflow

0) open an incognito browser session to verify i'm not logged on already
1) go to the site
2) elect to log in with my Google credentials
3) sign in with my username, password and 2FA
4) log out of the application
5) elect to log back in with my Google credentials - this works without asking me to reauth with Google

we can send out an OSSN to warn folks, but that's how its supposed to work

I concur, this looks to be expected behavior.

I think we can do the following:

1. doc it and warn the users what "logout" in Horizon means in respect to WebSSO
2. have Horizon pop up a warning message when user click on logout
3. have Horizon redirect the users back to the IdP to give them the opportunity to truly logout

Steve,

From horizion user's perspective, how will they know IDP logout url? Every one knows about GMail, but how about other IDPs.. I configured Active directory and have no clue how to logout of Active Directory which is the IDP in my case.

BTW this is how Facebook login works which seems to contradict Google behavior

I tried with multiple websites using Facebook login it seems like as soon as you login using with Facebook to one website, the next one doesn't ask you for passwd anymore. however, if you logout from one website and try to login back again it will ask for password

Warning: I am not a WebSSO protocol expert (and I don't know how it is implemented in Horizon), but I've done social auth nearly a dozen times across different IdPs.

It's my understanding that this is more of an IdP issue. One of the first steps you normally do is redirect the user to their IdP and once login is complete they redirect you back. If they choose to honor their cookies and just automatically log you in then that is their choice. Some may decide to force the user to re-enter their password based on some rules. The most Horizon can do is wipe the tokens and clean its own cookies. What the IpD does the IdP does.

There was a question earlier about the user knowing their logout page. I think this would be a problem for the organization to solve using a portal or something. Microsoft does provide this. Also the WS-Federation protocol has a nuclear logout that allows the user to log out of the IdP and all webapps they are currently logged into (that implement the feature). I don't think that is something we'd want to implement.

Am I missing something?

This seems correct to me. Horizon is correctly invalidating the keystone token, you can't use that token. However the next time you select websso login you get redirected to the page and the stored cookie from the last time you visited the SSO login would be seen and issue you a new assertion without login that keystone turns into a new token.

There is nothing we can do about that. This is why you see those messages occasionally to close down your browser after use so that all those session cookies are purged.

For some protocols like saml2 there is sometimes a logout url and method in the assertion. Maybe we could get keystone to forward the user their after invalidating a user token? This would still be kind of weird in a normal SSO flow sense though.

Needs 3 things:

1. Feature in Keystone to track the WebSSO logout URL comparable to the login URL
2. A way to communicate this to Horizon
3. A tie in to Horizon to call the URL in order to logout.

Since Keystone manages websso login, it should do the logout directly as well.

can we update the bug title to reflect what was discussed here, it seems terribly broken at first glance

As noted by many on this bug, this is the expected behaviour when using a federated identity provider.