Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Logout through "authorize" Module (was #619) #53
From yorndej...@gmail.com on February 11, 2014 12:54:34
I believe that this issue was introduced when ticket #522 was fixed. In order to reproduce this problem, take the following configuration into account:
The "authorize" module is configured on the IdP, in the SP configuration (saml20-sp-remote.php). This is done to copy the behaviour of Feide, where you are stopped at the IdP when your affiliation does not have access to the requested service provider. What steps will reproduce the problem? 1. Log in to an SP (SP1) where you are not blocked by the "authorize" module.
Original issue: http://code.google.com/p/simplesamlphp/issues/detail?id=619
From jaim...@gmail.com on February 18, 2014 04:47:16
I'm afraid this is not an issue introduced at any point, but something that has never worked. The fix you are referencing to is basically a quick fix to allow basically some kind of logout, but not a complete SLO.
I've been discussing this briefly with Olav, and there's no easy way to solve it, because there's no way to trigger SLO from the authorize module. A possible approach would be that both the IdP and SP register their own logout handlers in the state array, and then let the authorize module use that handler to initiate a SLO. It would be possible then to initiate SLO regardless of where you are using the module (right now you get no logout link if you are on the SP, for instance), but that's also a non-negligible amount of work, and we've decided that it can wait until 2.0.
From yorndej...@gmail.com on February 20, 2014 04:20:56
As a workaround, would it be possible to add a module configuration parameter to send the user somewhere else than the simpleSamlPhp installation page?
Also, I wonder how this is fixed in Feide; when I log in with my NTNU account and then try to visit a UNINETT service, I get a button that allows me to log in as another user.
Sorry, looks like I didn't realize of your message while migrating everything to github.
We'll try to solve this for 2.0, but meanwhile we decided not to do anything for 1.12. In Feide we solve this by means of the Feide module, which takes care of situations like this (though it should be improved). That module is internal and not part of SimpleSAMLphp, which is why it works in Feide but not with SSP's standard distribution.