@Glowsome
I’ve been playing with getting SLO working for my Checkmk instance.
I’ve got it working, however your environment may be different. I’m using a RHEL7 server and PingIdentity for my IDP.
The logout is only initiated by the SP, not the IDP. Basically I am using Apache to redirect to my IDP once Checkmk is done logging out ‘locally’
If you look at the login.py source code, there are some directives at the very end of it for the logout.
With my Apache config, I tried my best to not interfere with the way Checkmk does it’s thing out of the box. So I followed the logic in the login.py source.
That being said, here is my auth.conf :
# Set this to the Name of your Checkmk site, e.g.
#Define SITE
Define SITE master
# TODO: See if we can pull this from the local env. PassEnv wasn't working - probably because the HOSTNAME variable isn't set in the shell that is running Apache
Define HOSTNAME example.com
# ServerName from listen-ports.conf needs to be overwritten here
# and being set to the URL of the real server. auth_mellon uses this
# to generate the needed URLs in the metadata
ServerName https://example.com
# Load the module.
<IfModule !mod_auth_mellon.c>
LoadModule auth_mellon_module /omd/sites/${SITE}/lib/apache/modules/mod_auth_mellon.so
# When using CentOS 7 / 8 and in need of diagnostics install mod_auth_mellon-diagnostics package,
# and use the following statement.
# LoadModule auth_mellon_module /usr/lib64/httpd/modules/mod_auth_mellon-diagnostics.so
</IfModule>
# Only enable this for debugging purposes
# MellonDiagnosticsFile /opt/omd/sites/${SITE}/tmp/mellon_diagnostics.log
# MellonDiagnosticsEnable On
<Location /${SITE}>
# Use SAML auth only in case there is no Check_MK authentication
# cookie provided by the user and whitelist also some other required URLs
<If "! %{HTTP_COOKIE} =~ /^auth_/ && \
! %{REQUEST_URI} = '/${SITE}/check_mk/register_agent.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/deploy_agent.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/run_cron.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/webapi.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/automation.py' && \
! %{REQUEST_URI} -strmatch '/${SITE}/check_mk/api/*' && \
! %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/ && \
! %{REQUEST_URI} =~ m#^/${SITE}/(omd/|check_mk/((images|themes)/.*\.(png|svg)|log(in|out)\.py|.*\.(css|js)))# ">
MellonIdPMetadataFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp-metadata.xml
MellonIdPPublicKeyFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp-public-key.pem
MellonSPCertFile /opt/omd/sites/${SITE}/etc/apache/mellon/mellon.cert
MellonSPPrivateKeyFile /opt/omd/sites/${SITE}/etc/apache/mellon/mellon.key
MellonEndpointPath "/${SITE}/mellon"
MellonDefaultLoginPath "/${SITE}/check_mk/"
Order allow,deny
Allow from all
MellonSecureCookie On
MellonCookieSameSite None
AuthType Mellon
AuthName "Check_MK SAML Login"
MellonEnable auth
Require valid-user
MellonUser username
RequestHeader set X-Remote-User %{username}e env=username
</If>
<If "! %{HTTP_COOKIE} =~ /mellon-cookie=cookietest/ && \
! %{HTTP_REFERER} = 'https://${HOSTNAME}/${SITE}/check_mk/index.py?start_url=%2F${SITE}%2Fcheck_mk%2Fdashboard.py' && \
%{REQUEST_URI} = '/${SITE}/check_mk/login.py' ">
Redirect '/${SITE}/check_mk/login.py' '/${SITE}/mellon/logout?ReturnTo=https://${HOSTNAME}/${SITE}/check_mk/logout.py&IdP=https://exampleIDP.com/logout'
</If>
# This header is also needed after authentication (outside of the If clause)
RequestHeader set X-Remote-User %{REMOTE_USER}e env=REMOTE_USER
</Location>
Notice that I had to whitelist logout.py as well.
Also, I had to work with my IDP folks to get them to add the SLO settings into the IDP and provide me with the updated metadata. Again, your environment my differ.
A little ‘hacky’, I agree. However, it’s working for me. If you or anyone have any suggestions for a better way to do the logout, I’m all ears.