SAML SLO

[samjustus]

Related Issues

(rancher/rancher#38494
https://jira.suse.com/browse/SURE-3572

Summary

Implemented SAML SLO

Details

Root Cause
A change request to support logging a User out of the session held by the configured external auth provider (EAP), and thus out of all applications, instead of just out of Rancher itself. This last meant that when logging back into Rancher the still-open session in the EAP allowed for quick login, without having to run through full authentication again. Confusing several users which expected to fully re-authenticate. Despite the notification on regular logout that the EAP session may be retained.

What was fixed, or what change have occurred
Several, not all, EAP now support an LogoutAll option and action.
The supporting EAP are the SAML variants on offer.

Note that the following changes are in the Dashboard, not in the Backend.

Supporting LogoutAll means that when such an EAP is configured and activated the Admin
can configure the checkboxes

LogoutAllEnabled and
LogoutAllForced.
Checking LogoutAllEnabled causes the UI to offer the user the choice between regular logout and logout all.
Additionally checking LogoutAllForced causes the UI to not offer regular logout anymore, only logout all.
And as the sole choice no actual choice is offered to the user. Logout is logout all.
Note that Forced cannot be checked if Enabled is not checked.

The backend sees these configuration flags as well and will react with errors should the dashboard try to

invoke logout all when not enabled.
invoke logout when logout all is forced.