Portal for ArcGIS 11.2 SAML login: logout from IdP broken for oauth application

NicolasGIS · ‎03-21-2024

Hello,

Many users in my organization are complaining about a security issue because of Portal for ArcGIS SAML logout behavior: it does not propagate logout to identity provider and as a consequence, users remains logged in which is a security vulnerability.

I noticed the following: "Propagate logout to Identity provider" only works if logged in directly on Portal for ArcGIS (ie: OAuth client id ="arcgisonline"). If you are logged in on Portal for ArcGIS through an OAuth application (ie: OAuth client id ="o8WEYheNpQcE2dwwh"), then when signing out from another application, Portal for ArcGIS does not propage the logout and instead displays the following window:

Let's illustrate this workflow with the diagram below:

source: https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02_html_m50a2ba3e.g...

Let's say "sp2.example.edu" is Portal for ArcGIS.

1. Working scenario when logged in directly on Portal for ArcGIS:

User is logged in on both Portal for ArcGIS and sp1.example.com and the user request a global logout from sp1.example.com. At step 3, Idp make a POST to sharing/rest/oauth2/saml/signout and the reply is the following:

<!DOCTYPE html>
<html>

<head>
<title>Posting request..</title>
<link href="/geoportal/sharing/rest/files/gw.css" rel="stylesheet" type="text/css"/>

<script language="javascript">
window.onload = function(e) {
document.forms[0].submit();
};
</script>
</head>

<body>
<form name="f" action="https://idp.example.org/auth/realms/company/protocol/saml" method="post">
<input type="hidden" name="SAMLRequest" value="foo" />
<input type="hidden" name="RelayState" value="bar" />
</form>

</body>

</html>

Note the form that will POST to Idp with "SAMLRequest" and "RelayState" parameters in order to sign out from Idp. It corresponds to step 4 and it works.

Now, let's compare it with the broken scenario:

2. Broken scenario when logged in indirectly on Portal for ArcGIS through an OAuth application:

User is logged in on Portal for ArcGIS indirectly through an OAuth application and on sp1.example.com and the user request a global logout from sp1.example.com. At step 3, Idp make a POST to sharing/rest/oauth2/saml/signout but this time the reply is the following:

<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta name="referrer" content="origin">
<title>Sign In</title>
<script src="/geoportal/sharing/files/scripts/detector.min.js?__ARTIFACTID__"></script>
<link rel="stylesheet" href="/geoportal/sharing/files/css/site.min.css?__ARTIFACTID__">
<script src="/geoportal/sharing/files/scripts/theme.min.js?__ARTIFACTID__"></script>
<script>
var oAuthInfo = {"contextPath":"/geoportal/sharing","originSignin":false}
window.setTheme(oAuthInfo, "/geoportal/sharing");
</script>
<script src="/geoportal/sharing/files/scripts/oauth2.js?__ARTIFACTID__"></script>
</head>
<body>
<div class="content"></div>
</body>
<script>
oAuthInfo.locale = ((oAuthInfo.locale && oAuthInfo.locale === "iw") ? "he" : oAuthInfo.locale);
require.config({
baseUrl: "/geoportal/sharing/files/scripts/",
locale: oAuthInfo.locale && oAuthInfo.locale.toLowerCase() || ""
});
require(["signout-new", "domReady!"], function (signUp) {
signUp.startup(oAuthInfo);
});
</script>
</html>

which ends up to the page "You have been successfully signed out".

So coming back to our diagram, there is no longer a POST back to IDP and the logout process from IdP is broken in the middle because of Portal for ArcGIS. As a consequence, users are still logged in and as mentionned in the documentation:

If the user's web browser cache is not cleared, attempting to immediately sign back in to Portal for ArcGIS using the enterprise login option will result in an immediate login without needing to provide user credentials to the SAML identity provider. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.

Note that if you disable the "Propagate logout to Indentity Provider" option, you will have the same phenomena as in "Broken scenario when logged in indirectly on Portal for ArcGIS through an OAuth application" when logged in directly to Portal for ArcGIS.

As a conclusion, to me, the option "Propagate logout to Indentity Provider" should apply for all oauth client application ("argisonline" and all the others) and not solely to Portal for ArcGIS client.

Anybody else observing the same phenomena ? Any comments ? Did I miss anything obvious ?

Thanks,

Nicolas

/cc @CedricDespierreCorporon

NicolasGIS · ‎04-12-2024

Logged as:

BUG-000166664:
There is a security issue because of Portal for ArcGIS SAML logout behavior: it does not propagate logout to identity provider and as a consequence, users remains logged in which is a security vulnerability

NicolasGIS · ‎04-25-2024

Actually, this BUG is a duplicate. This security vulnerability is known and logged since 2022 and still being analysed as:

BUG-000150121: When Portal for ArcGIS participates in an SLO SAML flow, it fails to redirect to the identity provider (IDP) following the session invalidation

RyanTaylor · ‎10-03-2024

Hello @NicolasGIS, we recently encountered this issue as well and have reported it to Esri support. They identified it as BUG-000150121. I'm curious, did you ever find a workaround for this? V/r, Ryan

NicolasGIS · ‎10-04-2024

Hello @RyanTaylor,

No, I did not find any solution and I don't think we can do much.

Considering the very long time this issue has been logged and not solved, I am rather currently investigating switching to OIDC that now has group membership enabled:

https://community.esri.com/t5/arcgis-enterprise-ideas/openid-connect-group-membership/idc-p/1543260

Also, based on my tests, OIDC does not seem to have this issue.

Out of curiosity, what technology is your IDP based ? On our side, we are using Keycloak.

Thanks

RyanTaylor · ‎10-16-2024

@NicolasGIS, we've experienced this issue with Microsoft Entra Id and Big IP. Though, as you noted the issue seems to lie within Portal for ArcGIS.

I have attempted to issue logout requests directly to the IdP and had mixed success. I can sign out, but I cannot control the redirection after signout because the IdP (Entra Id) seems to allow just one redirection after signout URL, which is and must be set to Portal's.

Interesting about OIDC. That's not yet an option for us but will keep an eye on it.

NicolasGIS · ‎10-22-2024

@RyanTaylor, thanks for your reply.

Just for information, I received an update and BUG-000150121 is now in product plan...

RajkumarPadmanabhan

Hello @NicolasGIS and @RyanTaylor ,

I can reproduce the issue as you describe it with both SAML and OpenID Connect. This issue seems to be specific to custom web applications when a third party IDP is used to secure ArcGIS Enterprise. If your SAML IDP has a web page that allows manual user logouts, then you can try using that as a workaround. Otherwise, I don't think you can clear the IDP session unless you login and logout of ArcGIS Enterprise.

Here's a summary of the issue as I understand it:

ArcGIS Enterprise is registered as Relying Party with a third party SAML IDP.
A custom web application is implemented that:
- Requires an ArcGIS OAuth access token to consume secured ArcGIS resources.
- Is registered with ArcGIS as a trusted OAuth application, allowing it to authenticate users with ArcGIS Enterprise.
- However, when a SAML IDP is registered with ArcGIS, the application is also able to leverage the ArcGIS Enterprise Relying Party trust to authenticate users with the SAML IDP.
During the process of obtaining the ArcGIS OAuth access token:
- The user enters credentials to authenticate with the SAML IDP and an IDP user session is created.
- ArcGIS Enterprise issues a user specific OAuth access token to the web application.
- The user does not sign in to ArcGIS Enterprise. As a result the Relying Party(ArcGIS Enterprise) user session required for SP and IDP initiated logouts to work is not created.
The ArcGIS OAuth access token issued to the web application exists independent of any ArcGIS Enterprise user sessions and the IDP user session:
- Signing in\out of ArcGIS Enterprise does not invalidate this token. This is by design.
- Revoking the ArcGIS OAuth access token does not invalidate any active ArcGIS Enterprise user sessions. This is also by design.
- Signing out of the SAML IDP does not invalidate the ArcGIS OAuth access token.
- Revoking the ArcGIS OAuth access token does not invalidate the IDP user session.
When the web browser tab running the web application is closed, but the browser remains open, the IDP user session(tied to ArcGIS Enterprise as the Relying Party), remains active. As long as this IDP user session remains active, and the web browser is not closed, any Relying Party registered with the SAML IDP can be accessed without being prompted for user credentials.

Workarounds

If available, use the IDP's manual user logout page to clear the user session after revoking the OAuth access token.
- Azure Entra ID: https://login.microsoftonline.com/common/oauth2/v2.0/logout
- ADFS: https://host.domain.com/adfs/ls/idpinitiatedsignon.htm
Update the custom web application to first log in to ArcGIS Enterprise, then use the Identity Manager to obtain the OAuth access token. When done with the web application, revoke the OAuth access token and sign out of ArcGIS Enterprise.

Also, this is a different issue than the one described in BUG-000150121, which deals with an IDP initiated logout to ArcGIS Enterprise\Online when a user is simultaneously logged into multiple Relying Parties. A new bug, BUG-000175697, has been submitted for this issue.