Simplify logout support for Native SP
Description
Environment
MacOS and CentOS
Activity
Scott Cantor March 27, 2012 at 7:26 PM
Closing with documentation for new properties added.
Scott Cantor March 27, 2012 at 7:19 PM
Stephen Chan March 26, 2012 at 11:25 PM
Scott,
I think that looks great.
Steve
Scott Cantor March 26, 2012 at 6:16 PM
But for this to work, I think you mean that you want it to pass control back at the end, and that doesn't work without some internal trick. But something like this:
If requireLogout set and session exists then
If no signal parameter is set, then
redirect to a logout initiator with return set to the resource URL along with a signal parameter (e.g. done=1 or some such)
Else
pass control on to the resource
End If
End If
Is that what you mean?
Stephen Chan March 26, 2012 at 6:05 PM
Hi Scott,
In the apache config, you can specify:
<Location /protected>
AuthType shibboleth
ShibRequestSetting requireSession On
require valid-user
</Location>
Once you set this in your config file, the NativeSP takes care of redirecting the client to an IdP and returning them to the protected location once they are logged in. The application doesn't even need to be modified if REMOTE_USER is setup to contain the username.
I would like a complementary configuration directive that logs out the user's NativeSP session. Currently the application needs to be modified to redirect the browser to /Shibboleth.sso/logout?return=URL
Something like:
<Location /logout>
AuthType shibboleth
ShibRequestSetting requireSession off
ShibRequestSetting requireLogout on
</Location>
Where the "requireLogout" setting tells the module force a redirect to Shibboleth.sso/logout if the browser has an active session. In this way, the logout URL of an application can take care of the application logout, without needing any special code logout of the NativeSP session as well.
It doesn't have to be implemented like this of course, but I (and others I have spoken to) would like this kind of functionality.
Steve
Logouts from NativeSP shib sessions are not as transparent and clean as logins. Specifically:
1) The NativeSP module for Apache will transparently redirect the user to the IdP for login, filling in the return URL. Logouts currently don't have comparable support - the application needs to perform the redirect or Apache rewrite rules need to be created to construct the redirect and return url. It is all doable, but logout support requires a lot more monkeying around than login. Adding this would make it possible for lots of legacy web apps to transparently handle login and logout from shib.
2) The names of cookies used for shib sessions are undisclosed. If an application wants to expire the cookies/sessions without doing a redirect the recommended practice is to kill any cookie that doesn't look familiar. This is unsatisfactory and it would be helpful to have some attribute that enumerates the names of the shib session cookies. The particular issue with this is that shib support may be only a single module in a package that has multiple modules, and it isn't possible to know all the cookie names used by other modules. The general problem with this is "hygiene" related - killing state based on a guessing game has unknown side effects.
The changes are hopefully trivial to implement, and I think they do improve the usability of the tools - at least for admins and integrators.