Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to configure Single Logout when using Google Apps as the Identity Provider?

Tags:

google-apps

single-sign-on

saml-2.0

google-sso

As outlined in the Google docs you can use Google Apps as a SAML 2.0 IdP. The IdP metadata includes a URL for SSO, but doesn't contain a SLO URL:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=XXXXXXXX" validUntil="xxxxxxx">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
      <ds:X509Certificate>....</ds:X509Certificate>
    </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"     Location="https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Trying to just use the same URL for SLO results in an error at Google:

Error parsing the request, malformed_request: The SAML request is malformed. That’s all we know.

Of course you can just redirect to https://accounts.google.com/logout but that will only end the Google session.

SLO is not mentioned in Google docs. Is it supported?

like image 287
Tobias Mühl Avatar asked Jul 16 '18 11:07

Tobias Mühl

People also ask

How SSO is being used in Google products?

You can configure your Cloud Identity or Google Workspace account to use single sign-on (SSO). When you enable SSO, users aren't prompted to enter a password when they try to access Google services. Instead, they are redirected to an external identity provider (IdP) to authenticate.

How do I use Google SSO login?

When SSO is set up, users can sign in to their third-party IdP, then access Google apps directly without a second sign-in, with these exceptions: Even if they've already signed in to their IdP, as an extra security measure, Google will sometimes ask them to verify their identity.

How does SSO logout work?

Essentially, it removes the need for your users to log into multiple applications in a particular browser session. Once they log into one system, it exchanges authentication data with another service you have SSO set up with and automatically logs the user in.

1 Answers

Google does not support SAML SLO as an identity or service provider.

like image 166
Andrew K. Avatar answered Sep 18 '22 11:09

Andrew K.
Sign in to Comment

Related questions

PHP Multi site login
JASIG CAS: single sign out not working
How can I get all groups a user belongs to using Okta's API?
How to use AWS Cognito as Single-sign-on?
How do I implement a single sign-on for different ColdFusion applications running on the same server?
Google+ sign-in: authenticating session users
Single sign on using only Firebase
How to integrate Azure AD SSO in flutter app
How to implement Single Sign-On on iOS
setting up single sign on with django-cas and django-mama-cas
IdentityServer 4 with Active Directory on Premise
Facebook authorize w/permissions request yield "Page Not Found"
How to implement single sign-on for Web applications?
Android: facebook sdk logout problem?
What's the best approach to SSO with internal AD users and external users?
How to set up Okta as SAML IDP in AWS Cognito User Pool?
Establish SSO/set cookies with access or id token/token exchange
Single Sign On implementation in C# using SAML 2.0
Multiple apps are using the same FaceBook Single Sign-On account, how to choose which one opens the login screen?
Can i use Jasig CAS server for android mobile applications?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!