Shibboleth log off doesnt clear the cookies #3535
Comments
|
@Venki18 thanks for opening this issue. I was saying to @djbrooke yesterday that I don't recall spending a lot of time thinking about Log Out when we were designing the Shibboleth feature but I just took a look at the "Shibboleth Functional Requirements Document for Dataverse 4.0" doc at https://docs.google.com/document/d/12Qru8Gjq4oDUiodI00oObHJog65S7QzFfFZuPU3n8aU/edit?usp=sharing and under "Log Out" it says this:
We never developed that pop up about the need to quit your browser to log all the way out and I'm not sure why. It never became part of the remote auth phase 1 effort in #2939 either. As an aside, I've always been a little puzzled by text in https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues such as:
I haven't really dug into what's possible and have pretty much just accepted the out of the box behavior of Shibboleth. I will say that now that we're working on OAuth support in #3338, @pameyer has expressed concern about logout behavior for OAuth as well, such as at #3338 (comment) @Venki18 if I were you I'd try asking your Shibboleth Identity Provider (IdP) team to have a short time out such as 10 minutes, as suggested above. If you have suggestions for how we can update the Shibboleth section of the Installation Guide, please do let us know. |
|
@pdurbin Thank you. I will talk to my IT team about this. Will let you know if there is anything that has to be updated on Shibboleth section. |
|
@Venki18 does any of the new information at https://groups.google.com/d/msg/dataverse-community/rSokUwua8-s/edAfx0X0AQAJ help? |
|
I believe that my attempted implementation of Single Logout for Shibboleth may be relevant to this issue: |
|
@aivanov100 thanks for attaching Here's a handy direct link: https://groups.google.com/group/dataverse-dev/attach/7ef6ef254bbc7/ShibAuthFilter.java?part=0.1&authuser=0&view=1 |
|
Yesterday @aivanov100 did some more testing and wrote up some results at https://groups.google.com/d/msg/dataverse-dev/_PU0SvYvrXc/rbGIr6AFCQAJ and I'll respond there, hopefully this morning. |
|
I dashed off a reply at https://groups.google.com/d/msg/dataverse-dev/_PU0SvYvrXc/E9CkPMZ4AAAJ . I'm going on vacation so I'm unassigning myself for now. |
|
@aivanov100 I'm going to drag this from "Code Review" to "Backlog" at https://waffle.io/IQSS/dataverse so as not to distract the team at our daily standups but please make noise if there's some more code you want us to look at. Thanks! |
|
@Venki18 please try the new http://guides.dataverse.org/en/4.6.2/installation/config.html#shibpassiveloginenabled I'm going to close this issue but please let us know if it doesn't work! It should! 😄 |
|
Dear Phil
Thank you for including this option in the newer version. We will be moving to version 4.7 soon and will be turning on this option in that version.
Thanks and Regards
Venki
… On 23 Jun 2017, at 8:32 PM, Philip Durbin ***@***.***> wrote:
Closed #3535 <#3535>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#3535 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ASs_cmfIZ6_EQTD_WL4fdTguME0X8aDxks5sG7BSgaJpZM4LO7UI>.
|
|
@Venki18 that's great news! Don't forget to request that we put your installation on the map! http://guides.dataverse.org/en/4.7/installation/config.html#putting-your-dataverse-installation-on-the-map-at-dataverse-org |
We would like to report the problem with Shibboleth login. The shibboleth logoff doesn’t clear the cookie / session so the user is able to login again without entering the credentials. But this problem does not appear if a user login using local account and then login again with Shibboleth login. We are not sure whether is this a problem with Shibboleth setup or Dataverse log off action.
The text was updated successfully, but these errors were encountered: