GitHub user rosi-shapeblue added a comment to the discussion: SAML2 Logout
@DaanHoogland, @weizhouapache, @j3cky, I performed some testing on this. https://github.com/apache/cloudstack/pull/11361 fixes the logout loop / cookie cleanup issues (#11078, #11630) - but does not implement SAML Single Logout (SLO) to terminate IdP sessions. This is not a regression - I don't think that SLO has been implemented. @j3cky: After CloudStack logout, you can login again without password because the IdP session (Microsoft Entra ID / Keycloak) is still active. I have tested with: - CloudStack 4.22.0.0 - Keycloak 26.0.6 **SAML Login - Works** ``` 2025-11-26 07:41:06,928 DEBUG [c.c.a.ApiServlet] ===START=== 10.0.3.251 -- GET command=samlSso&idpid=http://10.0.33.46:8180/realms/cloudstack-saml 2025-11-26 07:41:06,977 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] Sending SAMLRequest id=ia8p1tggsoa2o8c5e0vpk6g38g2vlggd 2025-11-26 07:41:14,207 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] Received SAMLResponse in response to id=ia8p1tggsoa2o8c5e0vpk6g38g2vlggd 2025-11-26 07:41:14,214 DEBUG [o.a.c.s.SAMLUtils] SAML attribute name: username friendly-name:null value:admin 2025-11-26 07:41:14,220 DEBUG [o.a.c.s.SAML2UserAuthenticator] Trying SAML2 auth for user: admin ``` **CloudStack Logout - Works** (PR #11361 fix) - Cookies cleared properly - No API flooding - Clean logout to login page **IdP Session Termination - not supported / not working** Browser Network tab on logout shows: - `api/?command=logout&sessionkey=... `(200 OK) - `api/?command=listIdps `(200 OK) - `api/?command=listOauthProvider` (200 OK) - `api/?command=forgotPassword` (401 - expected) - No samlSlo request. No redirect to IdP. - Keycloak Sessions page: User session still active after CloudStack logout. - Keycloak logs: No LOGOUT events received - CloudStack never sent a SAML LogoutRequest. **Result:** Clicking "Login with SAML" again logs in automatically without password prompt (except on initial login) [Screencast from 2025-11-26 11-14-36.webm](https://github.com/user-attachments/assets/436a78fa-783c-45d6-bda3-f7b8cc5b021f) <img width="3119" height="1833" alt="Screenshot from 2025-11-26 11-19-17" src="https://github.com/user-attachments/assets/e494c191-62f7-43dc-8dbd-bcb9ca481d48"; /> <img width="3119" height="1833" alt="Screenshot from 2025-11-26 11-18-33" src="https://github.com/user-attachments/assets/99082e3b-73c8-49e3-a36f-04ab924ad7c7"; /> <img width="3119" height="1833" alt="Screenshot from 2025-11-26 11-18-17" src="https://github.com/user-attachments/assets/cda7cfa3-9431-4ab9-af55-0ff906dc9ac7"; /> GitHub link: https://github.com/apache/cloudstack/discussions/12109#discussioncomment-15084317 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
