search

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
243 stars 20 forks source link

When logging off IDP not contacted to terminate #96

Closed janssen-bart closed 3 years ago

janssen-bart commented 3 years ago

When using the logout button and refreshing the browser or re-enter the base URL ams.domain.com the session is not ended properly and you are logged on again. We have configured OpenID against ISAM. Logon is working properly but the session never gets ended on the ISAM when logout is clicked..

So, When logging off from the Lithnet Access manager application it seems that the OpenidConnect Provider (IDP) is not contacted to terminate the user session on IDP side. Is there any configuration we can do to resolve this issue? In the code and XML config there is a bool parameter regarding IdpLogout, currently set to false. But there don't seem to be any config parameter documented to set the url to logoff. How can we trigger the IDP logout url?

Kind regards

ryannewington commented 3 years ago

Hi @janssen-bart

This behavior is by design. IDP signout can lead to unpredictable results for end users, where clicking a logout link in one application, destroys their session at the IDP can lead to them being booted out mid-session from other apps, especially when API calls are involved. Not a great user experience.

This design choice obviously comes with a trade off, that while we clear the AMS session completely, and no cookies and session state are left behind allowing access to the AMS app, if the IDP session is still active, they get signed right back in, and may appear that the sign out link doesn't actually do anything. Also, not a great UX.

Given the two less than ideal options, we opted for the 'no side effects' model you see today.

One way around this, is to configure the IDP to request a re-authentication on every login to the app. This way, the user can log out of the app, and be prompted to re-authenticate for that app only - rather than be booted out of all apps.

As always, we like the decision to ultimately be in your hands, so you can indeed enable IDP sign out, by editing the appsettings.config file, and adding the 'IdpLogout' setting manually. The link for IDP sign out comes from the IDP's own metadata, so this does not need to be supplied.

"Oidc": {   
    "Authority": "...",
    "ClientID": "...",
    "Secret": {...},
    "IdpLogout": true
}

Let me know if that addresses your concerns

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.