Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] IdP Session Issue - Automatic Login

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] IdP Session Issue - Automatic Login


Chronological Thread 
  • From: Peter Brand <peter.brand AT univie.ac.at>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] IdP Session Issue - Automatic Login
  • Date: Fri, 30 Jun 2023 11:27:13 +0200

Andreas,

* Andreas Theodorou <andreas.theodorou AT cynet.ac.cy> [2023-06-30 09:58]:
> The issue arises when a user logs out of the system and then
> attempts to log in again. Instead of being prompted for his email
> and password, the user is automatically logged in without any
> authentication prompts.

Logs out where and logs out how? The Shibboleth IDP software (because
you mentioned this specifically but the issue goes well beyond this)
does support SLO these days (it didn't always) but that's not worth a
lot when hardly any SAML SP does.

(This old page illustrates some of the technical requirements for SLO
to work reliably. A pretty much universal lack of deploying the
methods required to support backchannel logouts is also the reason
we'll never be able to use this across the SPs available via eduGAIN:
https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645229/SLOIssues)

Also, current trends from browser vendors (wrt 3rd party cookies; here
mostly to inform the subject from the IDP's web site what SPs it was
able to successfully log you out from) will also make the existing
support much harder or impossible going forward.

I.e., the expectation that SLO works and does so reliably everywhere
is unrealistic.

And having any form of logout available that's *not* reliable means
you'll have to clearly communicate to the subject what to do about it
when you're only logged out of one service out of a list of mayne a
dozen you logged in earlier -- which mostly leaves "close the browser"
as the sole and simplest which, of course, is also what people would
do if no logout at all were offered at all. (I.e., your "plan B" also
takes care of the "plan A" if you ever had one.)

Therefore some people, including myself, think this is a lost cause
and federations have stopped at working SSO integrations with both
IDPs and SPs and therefore working SLO was never part of any
requirements or acceptance tests.
To me there are only very few things one can do about this, none
having to do with configuration files on your Shibboleth IDP:

* For shared computers, labs, kisok computers, etc. under your control
you need to make sure those have a large, friendly button that
allows to terminate the whole OS session including any and all
applications running which also wipes any local state. Plus maybe a
sign on the monitor to make sure to end your session that way.
(Only) If you give people a chance to "log out" from everything that
way you can make them responsible for not having done so (including
any potential misuse of their data).
(For shared maschines not under your control it's probably best to
advise people from avoiding those for security reasons: If there's a
chance any "state" from previous users remains on that machine you
probably shouldn't be entering your credentials on such a machine as
there might be resident malware lurking.)

* For personal devices (user-specific PC, laptop, mobile devices,
etc.) I don't see a need to ever log out of web sites: Most of these
devices will have *other* state (and data) from other applications
completely unrelated to federated WebSSO that will need protection
from prying eyes. The simple solution to both problems -- besides
never giving your personal device to someone else to use
unattended -- is to lock your complete device, not log out of some
web applications. Not only does this make for better security
(protects more data; doesn't require a new skill to learn) it also
makes the SLO issue moot.

* Make it a habit for yourself and document this clearly for others to
start a "private browsing session" / "incognito browser instance"
*before* doing any work you'd like to be able to "log out" from
later easily, including when handing your laptop over to a colleage
for a short time (while you're still close in order to prevent them
from reading, copying or modifying other, possibly very private,
data may have stored on that machine).

HTH,
-peter



Archive powered by MHonArc 2.6.24.

Top of Page