search

vivekrajenderan / simplesamlphp

Automatically exported from code.google.com/p/simplesamlphp
Other
0 stars 0 forks source link

Logout through "authorize" Module #619

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I believe that this issue was introduced when ticket #522 was fixed. In order 
to reproduce this problem, take the following configuration into account:

The "authorize" module is configured on the IdP, in the SP configuration 
(saml20-sp-remote.php). This is done to copy the behaviour of Feide, where you 
are stopped at the IdP when your affiliation does not have access to the 
requested service provider.

What steps will reproduce the problem?
1. Log in to an SP (SP1) where you are not blocked by the "authorize" module.
2. Attempt to log in to an SP (SP2) where you are blocked by the "authorize" 
module.
3. On the "Access forbidden" page, click "Logout"
4. (observe "Go back to simpleSAMLphp installation page" link)
5. Go back to SP1
6. (observe you are still logged in)

What is the expected output? What do you see instead?
1. Upon clicking "Logout", I expect being redirected back to the login page so 
that I can log in as another user. Instead, I am presented with a "Go back to 
simpleSAMLphp installation page" link.
2. Upon clicking "Logout", I expect to be logged out from all SPs I am 
currently logged in to. When I try to visit SP1 after clicking Logout, I expect 
to be prompted for credentials.

What version of the product are you using? On what operating system?
Latest stable simpleSamlPhp (1.11.0) on IdP, same simpleSamlPhp or mod_mellon 
0.5 as SP.

Original issue reported on code.google.com by yorndej...@gmail.com on 11 Feb 2014 at 11:54

GoogleCodeExporter commented 9 years ago

Original comment by jaim...@gmail.com on 17 Feb 2014 at 11:29

GoogleCodeExporter commented 9 years ago 
Hi Yorn!

I'm afraid this is not an issue introduced at any point, but something that has 
never worked. The fix you are referencing to is basically a quick fix to allow 
basically *some* kind of logout, but not a complete SLO.

I've been discussing this briefly with Olav, and there's no easy way to solve 
it, because there's no way to trigger SLO from the authorize module. A possible 
approach would be that both the IdP and SP register their own logout handlers 
in the state array, and then let the authorize module use that handler to 
initiate a SLO. It would be possible then to initiate SLO regardless of where 
you are using the module (right now you get no logout link if you are on the 
SP, for instance), but that's also a non-negligible amount of work, and we've 
decided that it can wait until 2.0.

Original comment by jaim...@gmail.com on 18 Feb 2014 at 12:47

GoogleCodeExporter commented 9 years ago 
As a workaround, would it be possible to add a module configuration parameter 
to send the user somewhere else than the simpleSamlPhp installation page?

Also, I wonder how this is fixed in Feide; when I log in with my NTNU account 
and then try to visit a UNINETT service, I get a button that allows me to log 
in as another user.

Original comment by yorndej...@gmail.com on 20 Feb 2014 at 12:20

GoogleCodeExporter commented 9 years ago

Original comment by jaim...@gmail.com on 26 Feb 2014 at 2:45

GoogleCodeExporter commented 9 years ago 
Closing the issue here, moved to:

https://github.com/simplesamlphp/simplesamlphp/issues/53

Original comment by jaim...@gmail.com on 27 Feb 2014 at 7:21