CMS V3.3.* - Logout SAML not working correctly

pitoco02 · March 14, 2024, 2:58pm

Hello everyone, I would like to report unexpected behavior regarding SAML authentication.
My test was using Azure AD with the latest versions of CMS 3.3, in which the login and logout from Microsoft work perfectly. However, the problem arises after the logout has been performed because even though I am logged out of the Microsoft account, the CMS session remains active!

I believe it is necessary to review this logout process to kill the CMS login session when clicking “logout” in the CMS.

Can you reproduce this behavior on your end? Do i missing something?

Thank you!

ProServ · March 16, 2024, 10:07am

I’m not a SAML specialist, but I think the CMS uses tokens with cookies stored in the web browser.
This is why disconnecting the Microsoft account does not disconnect the Xibo session.

pitoco02 · March 18, 2024, 4:44pm

Hello!
Thanks for the answer. Can you tell if this is something that I can configure myself, or is it something that the Xibo development team need’s to work on?

ProServ · March 18, 2024, 5:35pm

Check this way: singleLogoutService… Documentation here: SAML as an Authentication Provider | Xibo Digital Signage

But I think this is the normal behavior of SAML.

dan · March 19, 2024, 9:39pm

We actually changed the way it works slightly in v4 so that this isn’t a problem anymore.

Basically when you use SLO the IDP should call back to the CMS once logout is successful and then the CMS logs you out. This is how it works in v3.

Unfortunately many IDPs don’t do that - they just log you out of the IDP and don’t make the final call back.

So in v4 we changed it to log you of the CMS before calling the IDP so it doesn’t matter if they IDP calls back or not.

I hope that helps explain the behaviour?