Single Logout behavior and UX is notoriously tricky for SAML implementations. That said, we plan on making the SLO behavior better and you can track our progress in the two issues above. In the meantime you can try the following workaround:
Set force_authn to true in your SAML realm configuration. This will effectively mean that your users will be prompted for authentication every time they hit the Identity Provider with a SAML Authn Request and this will break the infinite login cycle.
Sorry, for the wrong case I used for force_authn, glad you figured that out, I 'll edit this in the original post.
It's either your Identity Provider that doesn't conform to the SAML Specification or something else entirely is going on since the beginning.
Which SAML IdP implementation are you using?
It would be of much help if you could capture and share with us the series of requests and responses from your browser in order to get a clear idea on what happens when you click 'Logout'. You can use
The developer console on chrome/firefox , with the network tab and the persist logs option enabled.
You're welcome. I assume that you now get a behavior closer to what you want? What was the issue with force_authn after all ? Please share how your problem was solved ( assuming it is ) so that other people use this.
We haven't resolved the issue yet, but trying to get things done. I will post the solution if it gets resolved.
The pictures are from the Chrome log as you have asked
At this point you should get prompted for authentication from your IdP instead of returning back to Kibana. Can you share the details ( headers and body ) from these 3 requests ? (You can use the </> button to format it )
Hi, thanks. PIng Identity should be honoring the forceAuthn=true in the SAML AuthnRequest. Do you also see the behavior of being reauthenticating back to Kibana?
Just to be clear, we are investigating if setting force_authn is acceptable to you as a workaround for breaking up the redirection and re-authentication loop until this behavior can be further enhanced in Kibana. What should happen if you enable force_authn is that when you click on logout in Kibana, you will end up on your authentication page in Ping Federate instead of being automatically redirected to Kibana and reauthenticated. (Note that if you do manually authenticate again in Ping Federate, you will also be redirected back to Kibana as authenticated user ).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.