SAML Logout in iframe

Description
When I use single logout in Shibboleth SAML IDP (as a part of Gluu IAM), it logs out all the relying parties in iframes from its single logout page. Zoom properly answers with Set-Cookie headers that effectively log the user out. Unfortunately, as this is loaded in iframe, those Set-Cookie do not affect the “main” cookies in modern browsers and the user is not logged out.

Error
No error message per see. Chromium displays the following in its network log “this Set-Cookie didn’t specify a “SameSite” attribute and defaulted to samesite=lax and was blocked because it came from the cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with “SameSite=None” to enable cross-site requests.”

Which App Type (OAuth / Chatbot / JWT / Webhook)?
SAML

Which Endpoint/s?

Hey @r.kondratenko,

Can you share the documentation for the “Shibboleth SAML IDP (as a part of Gluu IAM)” so we can get on the same page?

Thanks,
Tommy

Hello, this is the relevant paragraph: LogoutConfiguration - Identity Provider 4 - Shibboleth Wiki

Hey @r.kondratenko,

Thank you for providing additional information. First, I want to make sure I have a good understanding of what’s going on here. It sounds like you are displaying multiple applications in their own iframe and using this IDP to authenticate for them via SSO. When it comes to Zoom displayed in an iframe, the SameSite attribute is not set by Zoom which means that the browser defaults to SameSite=lax which prevents the request.

If that’s accurate, there isn’t a change that we can make immediately to resolve the issue as Zoom isn’t intended to be displayed in an iframe. Instead, you might want to follow the Zoom SSO documentation to see if you can get the IDP working without the use of an iframe.

That documentation does mention Gluu so it should cover the steps you need to started using SSO with Zoom. Let me know if that helps.

Thanks,
Max

Hello @MaxM , Sorry, that’s not accurate, I wasn’t clear enough.
We authenticate every application normally with SAML, all the application work in their browser tabs as normal.
However, when in one of the application or in the IAM the user requests to log out we have to logout from them out of all the application we used SSO to login to. This is SLO (single logout). To do this the applications redirect the user when they log out to a special endpoint for SAML SLO, At that endpoint, SAML IDP displays a page with a hidden iframe with SAML logout request for each application in current user’s session. Zoom also gets this iframe with SAML logout request (signed by IDP). In this iframe response Zoom issues Set-Cookie that are effectively ignored by the browser (as it is cross-site request) and does not invalidate the user session on the backend. As a result, the user is still logged in and can continue to use their session in the browser.
Is this more clear?

Hey @r.kondratenko,

Yes, thank you, that does help to clarify what’s happening here. Looking at the documentation for Shibboleth and Gluu, I’m not sure what their support for this functionality is. I haven’t used them before but when looking at this documentation it seems there are limitations when it comes to SLO:

https://gluu.org/docs/gluu-server/2.4.4/operation/logout/

https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues

On that same note, I can see that we have documentation for SSO with Shibboleth but nothing covering SLO. This goes for our other supported IDP. I expect this is because it’s not supported due to the limitations listed above and that Zoom is expected to handle the session timeout itself.

Have you had a chance to reach out to the Shibboleth team to see if they are able to offer any alternatives? If they aren’t able to offer any alternatives, would you be able to get more information from them in regard to what is expected from the Zoom website in order to allow this to work?

Thanks,
Max

Hey, @MaxM ? your links are somewhat outdated. Modern Gluu just supports SAML Logout by the way of Shibboleth it uses as SAML IdP: Logout - Gluu Server 4.2 Docs
While Shibboleth docs do mention that SLO is unreliable this is because many applications like Zoom
in our case do not actually support it in any reasonable way.
I have no contacts in Shibboleth team, but I don’t see if anything they can do will help in this case. There’s no alternative to cross-site request in any form here, as they have to log the user out of all the SP’s at once. Zoom, on the other hand, can do one of:

  1. Invalidate user’s session on the backend for signed SAML logout request
  2. Issue Same-site=None with Set-Cookie for signed SAML request
    Or maybe both. The former is good security practise anyway so that logout is not reliant on the browser clearing cookies.

Hey @r.kondratenko,

Thank you for steering me to the correct documentation. Looking at what is listed there, it seems that you are using the “OpenID Connect Front-Channel” logout that they mentioned and that’s what causes the issue with iframes/SameSite. Is that correct?

I bring this up because Zoom does support a Signed SAML Logout request but it seems that the issues come when using the front-channel logout. Let me know if that’s accurate. Have you tried the SAML logout or the back-channel logout that they list there are and what issues do you encounter there?

That being said, the SameSite setting is something our engineering team may be able to change but I want to make sure that we’ve exhausted all options before requesting a change that may take some time to be approved and implemented, if at all.

I was also able to find their support channel just in case that they are able to offer more insight into configuring Gluu with Zoom.

Thanks,
Max

Hello,
No, I’m using SAML front-channel, not OpenID in this case, but the issue is the same as the technology is somewhat similar. And yes, the problem is only when using SAML logout in iframe as a part of front-channel logout.
I have contact with Gluu support, thank you.

Hey @r.kondratenko,

Thank you for the update. From here, I would try the other logout methods to see if they work for you, especially when it comes to the back-channel and SAML logout. If that’s not helpful, let’s see what advice Gluu is able to offer. If they advise of any changes that need to be made on our end or you have any further questions, I’m happy to help out.

Thanks,
Max