Shibboleth not handling SSO logout

[ghost]

Hello,

We are using Shibboleth plugin in a sso environnement where web site are used in public labs so logout need to be handled appropriately!

While doing the basic scenario I have noticed that the logout is handled correctly if we logout from Wordpress but not if we are login out from another site.

I checked the status (in shibboleth_auto_login if i remember well) and it seem that the shibboleth session is detected as inactive but the Wordpress session is still on.

I'm not fully knowledgeable of Worpress or even Shibboleth but from what I understand so far, I would need to handle it myself (could be shibboleth_auto_login_logout?).

Handling it on reload would not be too hard but I guess I would have to install the handler higher up (init like shibboleth_auto_login?) to make sure to block any ajax call (but then I would have to know how those blocked ajax will behave from a user standpoint).

Handling a window left opened would require more work and there would be some type of polling required (I will have to check if Wordpress already offer the insfrastructure for that, I would guess so).

Anyone have tought already about this issue? Would it be considered out of scope of the plugin? (from a coding standpoint, it would surely make more sense to implement this in the plugin as the required call (shibboleth_session_active()) are defined there.

I will find a solution anyway as it's a requirement for our projet but I will gladly take any pointer if it could help me build something that could be shared.

ps : While implementing a first proof of concept I realised that I will have to read the meta_data to know it's a shibboleth provisionned acccount so as not to logout any user that would have been created out of the shibboleth flow.

[jrchamp]

True Single Logout is nigh impossible: https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues I'm not saying don't try, but don't expect perfection.

The only safe options involve deleting cookies, either directly through IdP logout and SP logout and application logout or in mass. Please note that the cookie settings for the Shibboleth token may prevent it from being available over http or possibly even JavaScript (ajax). This may show up as a false failure of shibboleth_session_active().

Session timeouts are also effective for this, so you may be more interested in setting a cookie expiration that is shorter in general. From https://codex.wordpress.org/WordPress_Cookies

The cookies length can be adjusted with the 'auth_cookie_expiration' hook.

[ghost]

The cookie deletion part is already handled by my coworker work.

What I would like to handle is more the case where I have : is_user_logged_in() TRUE !shibboleth_session_active() FALSE (it looks like I get the correct information). get_user_meta($user->ID, 'shibboleth_account') TRUE

My simple test looks like the following snippet. I had a few try that didnt work but the last one worked as expected (on manual reload). Not sure if it's a timing issue or just a incorrect sync related to my testing setup.

function shibboleth_auto_logout() {
$is_logged_in = is_user_logged_in();
$session_is_active = shibboleth_session_active();
    if (is_user_logged_in() && !shibboleth_session_active()) {
        $user = wp_get_current_user();
        if (get_user_meta($user->ID, 'shibboleth_account')) {
            wp_logout();
                        // Redirect or else?
        }
    }
}
add_action('init', 'shibboleth_auto_logout');

I will read the links to make sure I have a better understanding and follow-up. I took a note already about session timeout as I noticed that wordpress timeout where not in the same range as the sso ones (I will have to check here what's the recommanded value).

ps : Thinking about it it's true that a very short wordpress timeout could work. In general, as long as the shibboleth_session_active is still active autologin would take over. If a user would logout from another site and leave then the session would close itself in a reasonable time (depending of the value used). I'll try that, it would definitively be easier than implementing polling from the front end.

[ghost]

Thanks again for the article, it was very usefull.

I see it will be difficult to find a solution that could be generic enough to integrate in the main repository, I will use my fork / special branch to handle this for our specific needs, it's just a function so it wont be hard to merge with Shibboleth official updates.

As it is the "autologout" function I have posted work fine as we have the compatible mecanism to clear the cookies accross multiple sites.

and while testing I noticed that hearth beat api eventually take take of "disabling" the window (in about a minute). I was not able to find clear instruction on what we would need to support from a security standpoint but it looks that doing it this way is already better than some of the other production sites (but they also use more tightly url protection of Shibboleth, the access is protected but the app will not try to hide the page if a user leave a page opened with some personnal information (a little bit less of a issue in the site I'm working on actually as we will not display much private information (only email) in our stripped user profile page.

The only problem left will be that we where asked to implement front-end type of forms of custom post type so I will eventually have to reimplement the mecanism (using the heartbeat api so it should not be too complex).

You can close the issue if you want.