Correctly handle <LogoutResponse> messages for the SAML Realm

[jkakavas]

According to section 3.7.3.2 of SAML Core spec :

If the session authority successfully terminates the principal's session with respect to itself, then it MUST respond to the original requester, if any, with a message containing a top-level status code of urn:oasis:names:tc:SAML:2.0:status:Success. If it cannot do so, then it MUST respond with a message containing a top-level status code indicating the error

The SAML IDP can (should but usually doesn't) respond to a <logoutRequest> message with a <LogoutResponse> message indicating a successful logout. We don't currently handle this case, and we should

[elasticmachine]

Pinging @elastic/es-security

[tvernum]

What should Elasticsearch do with these responses?
I had always assumed that Kibana would be accepting them at the Logout service as a no-op. Is there a reason for it to be passed to ES other than the convenience of Kibana not having to parse the SAML parameter?

[jkakavas]

What should Elasticsearch do with these responses?

We could no-op (return a 200 response and a redirect value of /), and Kibana could redirect the user to the "Successfully logged out" page. Other clients could handle this response as they see fit.

I had always assumed that Kibana would be accepting them at the Logout service as a no-op.

I think this is mostly by accident now and not by design. IIUC, Kibana will return DeauthenticationResult.notHandled() since the LogoutResponse will reach its /logout endpoint but there will not be any tokens to invalidate.

Is there a reason for it to be passed to ES other than the convenience of Kibana not having to parse the SAML parameter?

There are a couple of reasons why we should handle this I think:

• We offer an API to be used for performing SAML authentication and we handle all other SAML messages from an IDP, I don't see a particular reason for this one to be an exception.
• We handle all the decoding, parsing, verifying of SAML messages on the ES side, it is only logical we should also decode and parse Logout responses and not delegate this to the client.

[ywangd]

This is implemented in #56316