vyruss
commented
7 years ago @sjDCC this marks a change from existing behaviour. Is this something we want?
Closed alexstuart closed 7 years ago
vyruss
commented
7 years ago @sjDCC this marks a change from existing behaviour. Is this something we want?
sjDCC
commented
7 years ago I don't think users would like this so wouldn't be inclined to have sign out of DMPonline or DMPTool also end their SSO session. They may be logged in with their institutional credentials to access various resources (e.g. journals subscribed to via library etc) so we wouldn't want the action of logging out of our system to log them out of all of this. @stephaniesimms would that be your preference too?
@alexstuart is there a reason why you think this should be done?
alexstuart
commented
7 years ago This isn't signing the person out of their IdP session. It's keeping the sessions consistent on the DMP SP. There are two SP sessions in play, with two separate cookies. The first is _shibsession_random-string and this is set by the Shibboleth SP; and there's _dmproadmap_session, which I suspect is set by the application somewhere. This issue requests that the logout button destroys both sessions that the SP + application have set.
(That's why I specified the "Local Logout" handler rather than any of the federated logoout handlers that your SP has registered. Local, in this context, means the session at the SP.)
alexstuart
commented
7 years ago ...And, on reflection, I see that how my use of "Shibboleth session" could have been interpreted ambiguously. In the initial reporting of this issue, I used Shibboleth session to mean the session that your Shibboleth SP has set up. Not "Shibboleth Session" in the sense that it's a session set up on the IdP or across the federation.
sjDCC
commented
7 years ago Thanks for clarification @alexstuart This sounds fine to me then. @vyruss are you ok to implement that?
vyruss
commented
7 years ago No UAT component, closing as it's implemented.
After signing into an account from the UK federation, selecting Sign out will destroy the application session and send the user back to the home page which then displays the Sign In form. However, selecting "sign in with your institutional credentials" immediately logs the user into the application without going round the loop of UK federation Central Discovery Service etc. This is because the sign out functionality does not destroy the Shibboleth session.
You can confirm that the Shibboleth session is not destroyed by the sign out function by signing out and then viewing https://dmponline-test.dcc.ac.uk/Shibboleth.sso/Session -- it continues to report a valid Shibboleth session.
The sign out link should also destroy the Shibboleth session. You can do this by calling the Local Logout handler at https://dmponline-test.dcc.ac.uk/Shibboleth.sso/Logout. Probably best to do this somewhere in code rather than with the user's browser as the behaviour for this link to destroy the session and return a simple page with a HTTP 200 code (whether there was a valid Shibboleth session to logout of or not).