Description
Describe the bug
Admin sessions via SAML are unable to fully logout. When logging out of a SAML session, the user can log back in without authentication from any browser by clicking the SSO button even after clearing browser caches and logging out of the IDP.
To Reproduce
Steps to reproduce the behavior:
- Login to PacketFence admin console from a SAML authentication source
- On 1st login, the user will get redirected to the IDP for authentication
- Attempt to logout with logout button.
- Click the SSO Sign-in button on the admin login page
- The browser will get redirected to the captive portal endpoint, then directly back to the admin interface with a login token. Clearing cookies or even trying a new browser will not trigger a re-authentication. I suspect the user session is tied to IP or mac address which would be very bad if true.
- The user sees a message login successful and the account they are now logged in with is the same as the original SAML user.
- No new user authentication events are shown in the admin api audit log.
Screenshots
Not sure if relevant, but session cookie seems to be valid for a year.
Expected behavior
- SAML Admin user logoff or clear browser sessions
- user clicks SSO login button
- User is directed to SAML IDP for authentication
- user is logged in to admin portal until manual logoff or session expiration
Desktop (please complete the following information):
- OS: Windows 10
- Browser: Tested in Firefox 111.0, Chrome 111.0.5563.65 and Edge 111.0.1661.44
Additional Context
Packetfence Version
12.2.0
GIT Commit ID
cfc6a45106a4446c78c56af1d2c5882a27796c70
Even disabling SSO from System Configuration > Admin Login will not terminate sessions. When SSO is re-enabled clicking the SSO button will login without redirecting to the IDP for authentication.
Rebooting the PF server or restarting services has no effect.
Activity