[Feature Request] Single LogOut

[peppelinux]

Is there any possibility to implement, in the SAML2 backend and frontend plugins, the SLO endpoint?

[peppelinux]

If I configure in my SATOSA frontend

  endpoints:
    # to be implemented
    single_logout_service:
        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'slo/post'

On SLO request by the SP I get
'Error: not a authn request`

If an IdP (auth target) do not handle properly 'forceAuthn = true` it should hopefully implement at least SLO.

I think that SLO should be considered usefull for security reasons in our context. Could we develop it?

[peppelinux]

In satosa.frontends.saml2._register_endpoints I read that every endpoint is registered as handle_authn_request.

    def _register_endpoints(self, providers):
        """
        Register methods to endpoints
        :type providers: list[str]
        :rtype: list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]
        :param providers: A list of backend providers
        :return: A list of endpoint/method pairs
        """
        url_map = []

        for endp_category in self.endpoints:
            for binding, endp in self.endpoints[endp_category].items():
                valid_providers = ""
                for provider in providers:
                    valid_providers = "{}|^{}".format(valid_providers, provider)
                valid_providers = valid_providers.lstrip("|")
                parsed_endp = urlparse(endp)
                url_map.append(("(%s)/%s$" % (valid_providers, parsed_endp.path),
                                functools.partial(self.handle_authn_request, binding_in=binding)))

[hannahshort]

+1 to developing this. I was asked by my federation operator to provide a single logout endpoint, which I'm unable to do atm (unless I've misunderstood).

[peppelinux]

Correct me if I'm wrong, the cookie in satosa expires in a soon.
This parameter is configurable but probably not infinite, as a cookie released by a IdP could be (not expiring cookie).
Missing it in the frontend (IDP) it won't link the SLO request to any active sessions (context) so it won't know to which IdP ask to, by which backend, regarding which preivous authenticated saml session. This is an aspect that can be handled in a way or in another but, i think, that's my first impression about this problem.

Force authn to True give us a real workaround to this, because each session won't rely on the previous state.
Even more going out from SAML2 field would be more complex. Probably its first implementation would be done only for a pure SAML2 backend/fronted. just few cents, mostly ideas at first sight

[gunpuz]

I guess there is already some progress by @sebulibah in this PR: #431
But I'm not sure what is the status. @sebulibah can you please tell how it is going?