Reply
Posts: 642
Topics: 3
Kudos: 103
Solutions: 67
Registered: ‎08-16-2016

HUE SAML logout_enabled setting

I am using SAML as the backend auth.  I have log had complaints on the logout process.  When a user manually logs out it redirects to root (as far as I can tell) which then goes through the login process with SAML.  When users are logged out for other reasons, usually a timeout (or a bug), either the HUE idle timeout, or the Hive/Impala idle/session timeouts, they are redirected to the login screen.

 

I had seen and thought to use the SAML properties logout_enabled to have it skip the logout process.  This properties does not seem to be picked up from the configuration file though.  I can see it used in the libsaml logout function.  And if I am reading it correctly the user shouldn't be logged out.  I don't see it anywhere in in saml_settings.py.  I also did not find logout_enabled anywhere else in the HUE code.  I know in general you don't want to disable logging out, but the intended user experience of SSO is that they don't have to perform a log in process in a bunch of different places.  Is this intended or a bug?  If it is intended, please remove it as a configurable option.

 

It is possible that the behavior is different for the timeouts mentioned above but my thinking is that this setting, with SAML configured, should skip the logout process, but it does not.

 

I am running CDH 5.8.2 and HUE 3.10.  I looked at the HUE 3.12 code and this portion looks identical.

 

 

libsaml/backend.py

def logout(self, request, next_page=None): if conf.LOGOUT_ENABLED.get(): response = saml_logout(request) auth_logout(request) return response else: return None

 

libsaml/conf.py

LOGOUT_ENABLED = Config(
  key="logout_enabled",
  default=True,
  type=coerce_bool,
  help=_t("Performs the logout or not."))
libsaml/saml_settings.py

# Licensed to Cloudera, Inc. under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  Cloudera, Inc. licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import saml2
import desktop.conf
import libsaml.conf

from desktop.lib import security_util
from saml2.config import SPConfig


__all__ = (
    'SAML_ATTRIBUTE_MAPPING',
    'SAML_CONFIG_LOADER',
    'SAML_CREATE_UNKNOWN_USER',
    'SAML_USE_NAME_ID_AS_USERNAME',
)


def config_settings_loader(request):
  base_url = libsaml.conf.BASE_URL.get()
  if base_url is None:
    base_url = "%(protocol)s%(host)s" % {
      'protocol': 'https://' if (request.is_secure() or request.META.get('HTTP_X_FORWARDED_PROTO') == 'https') else 'http://',
      'host':  request.get_host(),
    }

  entity_id = libsaml.conf.ENTITY_ID.get().replace('<base_url>', base_url)

  conf = SPConfig()
  conf.load({
    # full path to the xmlsec1 binary programm
    'xmlsec_binary': libsaml.conf.XMLSEC_BINARY.get(),

    # your entity id, usually your subdomain plus the url to the metadata view
    'entityid': entity_id,

    # directory with attribute mapping
    'attribute_map_dir': libsaml.conf.ATTRIBUTE_MAP_DIR.get(),

    # this block states what services we provide
    'service': {
      'sp' : {
        'name': 'hue',
        'name_id_format': libsaml.conf.NAME_ID_FORMAT.get(),
        'endpoints': {
          # url and binding to the assetion consumer service view
          # do not change the binding or service name
          'assertion_consumer_service': [
            ("%s/saml2/acs/" % base_url, saml2.BINDING_HTTP_POST),
          ],
          # url and binding to the logout service view
          # do not change the binding or service name
          'single_logout_service': [
            ("%s/saml2/ls/" % base_url, saml2.BINDING_HTTP_REDIRECT),
            ("%s/saml2/ls/post/" % base_url, saml2.BINDING_HTTP_POST),
          ],
        },

        'allow_unsolicited': str(libsaml.conf.ALLOW_UNSOLICITED.get()).lower(),

        # attributes that this project need to identify a user
        'required_attributes': libsaml.conf.REQUIRED_ATTRIBUTES.get(),

        # attributes that may be useful to have but not required
        'optional_attributes': libsaml.conf.OPTIONAL_ATTRIBUTES.get(),

        'logout_requests_signed': str(libsaml.conf.LOGOUT_REQUESTS_SIGNED.get()).lower(),
        'authn_requests_signed': str(libsaml.conf.AUTHN_REQUESTS_SIGNED.get()).lower()
      },
    },

    # where the remote metadata is stored
    'metadata': {
      'local': [ libsaml.conf.METADATA_FILE.get() ],
    },

    # set to 1 to output debugging information
    'debug': 1,

    # certificate
    'key_file': libsaml.conf.KEY_FILE.get(),
    'key_file_passphrase': libsaml.conf.get_key_file_password(),
    'cert_file': libsaml.conf.CERT_FILE.get()
  })

  return conf


SAML_CONFIG_LOADER = 'libsaml.saml_settings.config_settings_loader'

SAML_ATTRIBUTE_MAPPING = libsaml.conf.USER_ATTRIBUTE_MAPPING.get()
SAML_CREATE_UNKNOWN_USER = libsaml.conf.CREATE_USERS_ON_LOGIN.get()
SAML_USE_NAME_ID_AS_USERNAME = libsaml.conf.USERNAME_SOURCE.get() == 'nameid'

 

 

 

Posts: 642
Topics: 3
Kudos: 103
Solutions: 67
Registered: ‎08-16-2016

Re: HUE SAML logout_enabled setting

@Romainr

 

Have you had a chance to review this?

Highlighted
Cloudera Employee
Posts: 701
Registered: ‎07-30-2013

Re: HUE SAML logout_enabled setting

Just asked the specific Hue Security people

Announcements