Skip to content

GUACAMOLE-1266: SAML Single Logout #1154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bayars wants to merge 2 commits into
base: main
Choose a base branch
from
Open

GUACAMOLE-1266: SAML Single Logout #1154

bayars wants to merge 2 commits into from
+169 −0

Conversation

@bayars
Copy link
Contributor

@bayars bayars commented Jan 27, 2026
edited
Loading

Summary

This MR implements SAML Single Logout functionality for the guacamole-auth-sso-saml extension, allowing users to be logged out of both Guacamole and their SAML Identity Provider in a single action.

Associated with this jira ticket.

Changes

Backend

  • ConfigurationService.java: Added two new configuration properties:
    • saml-logout-endpoint
  • The SAML IdP's logout endpoint URI
    • saml-post-logout-redirect-uri
  • Optional URI to redirect to after logout completes (defaults to callback URL)
    • AuthenticationProviderService.java: Implemented getLogoutURI() method that builds the logout URL with RelayState parameter for post-logout redirect

Frontend

  • samlModule.js: New AngularJS module (guacSsoSaml) that listens for the guacLogout event and redirects users to the SAML logout endpoint at api/ext/saml/logout

Documentation

Documentation updated in the guacamole-manual project

Build Configuration

  • pom.xml: Added JS/CSS minification plugin configuration using Closure compiler to produce saml.min.js
  • guac-manifest.json: Registered the minified JavaScript file

Configuration Example - I already tested them

Test Flow:

  • Verify logout without saml-logout-endpoint configured only ends Guacamole session
  • Verify logout with saml-logout-endpoint redirects to IdP logout page
  • Verify RelayState parameter is correctly appended to logout URL
  • Verify post-logout redirect returns user to correct URL
  • Verify default post-logout redirect uses callback URL when not explicitly configured

To enable SAML Single Logout, administrators can configure the following properties:

Option 1: guacamole.properties

# Required: The SAML IdP logout endpoint
saml-logout-endpoint: https://idp.example.com/logout

# Optional: Where to redirect after logout (defaults to callback URL)
saml-post-logout-redirect-uri: https://guacamole.example.com/

Option 2: Environment Variables (Docker)

env:
  - SAML_LOGOUT_ENDPOINT: https://idp.example.com/logout                                                                     
  - SAML_POST_LOGOUT_REDIRECT_URI: https://guacamole.example.com/

@bayars bayars marked this pull request as draft January 27, 2026 03:16
@bayars bayars marked this pull request as ready for review January 31, 2026 03:16
@bayars bayars marked this pull request as draft January 31, 2026 03:17
@bayars bayars marked this pull request as ready for review January 31, 2026 03:24
@bayars bayars force-pushed the guacamole_1266_guacamole_saml_single_logout branch from ea937c1 to 8ec4d81 Compare January 31, 2026 03:36
@bayars bayars mentioned this pull request Jan 31, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bayars