Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[CANTFIX] Apache2, mod_auth_mellon and redirection on logout
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 903
PostPosted: Tue Jan 14, 2025 1:54 pm    Post subject: [CANTFIX] Apache2, mod_auth_mellon and redirection on logout Reply with quote
Hi,

I installed mod_auth_mellon with a custom ebuild, and all's working as expected with an external SAML SSO IdP.
I configured Mellon in my Gentoo Apache2 reverse proxy / WAF (modsecurity) so that web clients (such as Firefox, Edge, Chrome) can connect to it (the backend is an IIS server).

A web browser connects to:

Code:
https://intranet.domain.org/apps/1/


The user then authenticates via SAML SSO with the IdP.
The web portal works fine with the authed user.

To logout, the user clicks on a button which points to:

Code:
https://intranet.domain.org/e/endpoint/logout?ReturnTo=https://extranet.domain.org/


That call closes the user's session. The user is correctly logged out of the web portal as shown on the IdP's web page (because the user is redirected there).
If I open the browser console I can see that the redirection to https://extranet.domain.org/ has also been triggered because I can see that it GETs all the usual files it needs to open that site (js, html, css, images, etc.). However, the user is stuck on the IdP's page (no errors) as if all this traffic were ignored by the browser.

I've been told by the ones who manage the IdP that the logout was initiated on the server's side, but that the client browser did not really "have control" of what was coming after (redirection). I don't quite understand that statement.

The only difference I see when https://extranet.domain.org/ is opened via SAML SSO logout redirection compared to when I open it manually/directly is:

Code:
Referrer Policy: strict-origin-when-cross-origin


In the raw headers for the request, the only difference is:

Code:
Referer: https://idp.otherdomain.org/
Upgrade-Insecure-Requests: 1


I've never seen this before: a web browser opening up a web site (according to console) without displaying it to the user (no errors, nothing).

Any thoughts?

Last edited by Vieri on Tue Jan 14, 2025 4:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 903
PostPosted: Tue Jan 14, 2025 4:58 pm    Post subject: Reply with quote
Never mind.

The redirection URL *is* actually loaded, but the IdP's web page (provided by Shibboleth) actually loads the page within a display:none iframe.
Bummer.

Won't be able to do much there.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy