Does the IdP keep track of connected SP's?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Does the IdP keep track of connected SP's?

Frank Lonigro
        At logout (using logout.jsp), is it possible to list all the SP's
that the user has authenticated to?  What we would like to be able to do
is to present the user with a page during logout that shows which SP's
they connected to, which ones they are logged out of(i.e. the one they just
logged out of by clicking the sites "sign out" link), and which ones they
still need to go to and log out of.  Is this possible?

Thanks,
-Frank
Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Chad La Joie
What logout.jsp?  The IdP doesn't support logout.

Frank Lonigro wrote:
> At logout (using logout.jsp), is it possible to list all the SP's
> that the user has authenticated to?  What we would like to be able to do
> is to present the user with a page during logout that shows which SP's
> they connected to, which ones they are logged out of(i.e. the one they just
> logged out of by clicking the sites "sign out" link), and which ones they
> still need to go to and log out of.  Is this possible?
>
> Thanks,
> -Frank

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Peter Schober
In reply to this post by Frank Lonigro
* Frank Lonigro <[hidden email]> [2009-06-15 18:07]:
> At logout (using logout.jsp), is it possible to list all the SP's
> that the user has authenticated to?  What we would like to be able to do
> is to present the user with a page during logout that shows which SP's
> they connected to, which ones they are logged out of(i.e. the one they just
> logged out of by clicking the sites "sign out" link), and which ones they
> still need to go to and log out of.  Is this possible?

The simpleSAMLphp IdP does something like this, see this page for some
screenshots: https://rnd.feide.no/content/feide-idp-simplesamlphp
-peter

Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Frank Lonigro
In reply to this post by Frank Lonigro
        In configuring Google Apps for use with our IdP, Google's form asked
for a "logout" URL.  We entered https://OurDomain/idp/logout.jsp.  That JSP
takes care of invalidating the session cookies and then redirects to our own
logout which in turn invalidates the users credentials.

        That works fine for someone who only logs into one SP, like Google
Apps.  But for someone who access more than one SP, they may not realize that
they haven't actually been logged out of the other sites.  So, just like the
Feide SimpleSAMLphp IdP, we would like to tell the user which SP sites they
have connected to and give them a way to log out of them.

        Does the IdP keep track of the SP's that a user connects to?  Where
is that kept?  In a browser cookie?

Thanks for your help on this,
Frank


>Chad La Joie wrote:
>
>What logout.jsp?  The IdP doesn't support logout.
>
>
>In message <[hidden email]>you write:
>> At logout (using logout.jsp), is it possible to list all the SP's
>>that the user has authenticated to?  What we would like to be able to do
>>is to present the user with a page during logout that shows which SP's
>>they connected to, which ones they are logged out of(i.e. the one they just
>>logged out of by clicking the sites "sign out" link), and which ones they
>>still need to go to and log out of.  Is this possible?
>>
>>Thanks,
>>-Frank
Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Peter Schober
* Frank Lonigro <[hidden email]> [2009-06-15 19:01]:
> Does the IdP keep track of the SP's that a user connects to?  Where
> is that kept?  In a browser cookie?

Have a look at
https://spaces.internet2.edu/display/SHIB2/Shibboleth22Roadmap
https://spaces.internet2.edu/display/SHIB2/SLOIssues
-peter
Reply | Threaded
Open this post in threaded view
|

RE: Does the IdP keep track of connected SP's?

Cantor, Scott E.
In reply to this post by Frank Lonigro
Frank Lonigro wrote on 2009-06-15:
> That works fine for someone who only logs into one SP, like Google
> Apps.  But for someone who access more than one SP, they may not realize
> that they haven't actually been logged out of the other sites.  So, just
> like the Feide SimpleSAMLphp IdP, we would like to tell the user which
> SP sites they have connected to and give them a way to log out of them.

That requires full SLO logout support, which this IdP doesn't have.

> Does the IdP keep track of the SP's that a user connects to?  Where
> is that kept?  In a browser cookie?

No, it's tracked with the other session data, but I don't believe there's
any public interface to it, and even if there were, using it would amount to
implementing SLO, because there's no other protocol to use to contact the
SPs.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Frank Lonigro
In reply to this post by Frank Lonigro
>>    Does the IdP keep track of the SP's that a user connects to?  Where
>> is that kept?  In a browser cookie?
>
>No, it's tracked with the other session data, but I don't believe there's
>any public interface to it, and even if there were, using it would amount to
>implementing SLO, because there's no other protocol to use to contact the
>SPs.

        So, there is no way, from the IdP side, to list out and/or iterate
over, which SP's a user has been logged into?

        As a first step in the right direction, it would be nice to inform
the user that they just logged out and conditionally give them the option
to close their browser in the case where they were logged into more than
one SP.  That, at the very least, seems very basic.  We were hoping that
this could all be handled via the logout.jsp code, but it is sounding like
that won't be possible.

        We understand that the IdP does not yet implement SLO, but we were
hoping for a UI solution that might help ease confusion on the part of
the user.

        Any other input/insight would be appreciated.

-Frank
Reply | Threaded
Open this post in threaded view
|

RE: Does the IdP keep track of connected SP's?

Cantor, Scott E.
Frank Lonigro wrote on 2009-06-15:
> So, there is no way, from the IdP side, to list out and/or iterate
> over, which SP's a user has been logged into?

Not a supported one that I'm aware of.

> As a first step in the right direction, it would be nice to inform
> the user that they just logged out and conditionally give them the option
> to close their browser in the case where they were logged into more than
> one SP.  That, at the very least, seems very basic.  We were hoping that
> this could all be handled via the logout.jsp code, but it is sounding like
> that won't be possible.

I would assume they're probably logged into something else, and I don't know
that it matters much what they're logged into if you can't do anything with
the information.
 
-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Peter Schober
In reply to this post by Frank Lonigro
* Frank Lonigro <[hidden email]> [2009-06-15 21:52]:
> We understand that the IdP does not yet implement SLO, but we were
> hoping for a UI solution that might help ease confusion on the part
> of the user.

For deployments where SPs are only accessibly by a single IdP
(e.g. intra-campus SSO) the SP's "logout" can:
- clean/wipe up any application sessions
- clean/wipe up the Shibboleth session, e.g. via
  /Shibboleth.sso/Logout
- pass a parmeter (return=<urlencoded-URL>) to the Logout handler
  which points at a location at the IdP
- on the IdP all you can currently do is overwrite/invaldate the IdP's
  cookies, possibly after informing that all (but the most recently
  visited) applications might still have a session and that the
  browser needs to be closed in that case.
- Russell Beall on Tue, 16 Sep 2008 10:11:38 -0700 described a "trick"
  to use use HTML <img src=""> elements on that IdP page which which
  point to the logout handlers/scripts of the most important (or
  any/all known) SPs usable by that IdP (one for each SP). this could
  amount so something like a proprietary poor man's front channel SLO,
  but at least all SLOIssues for front channel SLO also apply here
  (see the eponymous wiki page).

-peter
Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Frank Lonigro
In message <[hidden email]>you write:

>* Frank Lonigro <[hidden email]> [2009-06-15 21:52]:
>> We understand that the IdP does not yet implement SLO, but we were
>> hoping for a UI solution that might help ease confusion on the part
>> of the user.
>
>For deployments where SPs are only accessibly by a single IdP
>(e.g. intra-campus SSO) the SP's "logout" can:
>- clean/wipe up any application sessions
>- clean/wipe up the Shibboleth session, e.g. via
>  /Shibboleth.sso/Logout
>- pass a parameter (return=<urlencoded-URL>) to the Logout handler
>  which points at a location at the IdP
>- on the IdP all you can currently do is overwrite/invalidate the IdP's
>  cookies, possibly after informing that all (but the most recently
>  visited) applications might still have a session and that the
>  browser needs to be closed in that case.
>- Russell Beall on Tue, 16 Sep 2008 10:11:38 -0700 described a "trick"
>  to use use HTML <img src=""> elements on that IdP page which which
>  point to the logout handlers/scripts of the most important (or
>  any/all known) SPs usable by that IdP (one for each SP). this could
>  amount so something like a proprietary poor man's front channel SLO,
>  but at least all SLOIssues for front channel SLO also apply here
>  (see the eponymous wiki page).
>
>-peter

        Thanks, Peter!
       
        Points 1 and 2 above are handled by the SP (in our case, at the
moment, that SP is Google Apps) which provides a "sign out" link on their
website (not all SP's provide such a link, we are finding out).

        The rest of your points, we are handling with the following
logout.jsp configured into our IdP (this code came from another thread
of this mailing list).

# cat ./webapps/idp/logout.jsp
<%
Cookie c;

c = new Cookie("JSESSIONID", null);
c.setPath("/idp");
c.setMaxAge(0);
response.addCookie(c);

c = new Cookie("_idp_session", null);
c.setPath("/idp");
c.setMaxAge(0);
response.addCookie(c);

session.invalidate();

String redirect="http://OurDomain/logout";
String service=request.getParameter("return");
String referer=request.getHeader("Referer");
boolean queryStart=false;

if(referer != null){
        referer=java.net.URLEncoder.encode(referer, "UTF-8");
        redirect +="?referer="+referer;
        queryStart=true;
}

if(service != null){
        service=java.net.URLEncoder.encode(service, "UTF-8");
        if(queryStart)  redirect +="&";
        else  redirect +="?";
        //redirect +="service="+service;
        redirect +="url="+service;
}

response.sendRedirect(redirect);
%>
#

        To address your last 2 points, we could modify our "logout" script
accordingly, as you say, a poor mans SLO.  That isn't so terrible, I suppose,
but we were really hoping there was a way to be a little more informative
and tell the user that they were still logged into so-and-so SP's and give
them a chance to "sign out" of each one, rather than just listing "all"
possible SP's that we know are configured and they could have been logged
into.

        If anyone has any other ideas, let me know.
       
Thanks for your help,
-Frank

Reply | Threaded
Open this post in threaded view
|

RE: Does the IdP keep track of connected SP's?

Cantor, Scott E.
Frank Lonigro wrote on 2009-06-16:
> The rest of your points, we are handling with the following
> logout.jsp configured into our IdP (this code came from another thread
> of this mailing list).

Note that your code is depending on the name(s) of the cookies used by the
IdP, which to my knowledge are not a documented interface. That is to say,
you could apply upgrade someday and the cookie names could be changed on
you.
 
(If I'm wrong on that, I'm sure Chad will clarify. This has come up with the
SP a few times, so I wanted to make a point of it.)

> To address your last 2 points, we could modify our "logout" script
> accordingly, as you say, a poor mans SLO.  That isn't so terrible, I
> suppose, but we were really hoping there was a way to be a little more
> informative and tell the user that they were still logged into so-and-so
> SP's and give them a chance to "sign out" of each one, rather than just
> listing "all" possible SP's that we know are configured and they could
> have been logged into.

Supporting that would be tanatamount to implementing SLO. It's the UI that
makes up all the work, not the protocol.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Does the IdP keep track of connected SP's?

Chad La Joie
Correct.

Scott Cantor wrote:
> Note that your code is depending on the name(s) of the cookies used by the
> IdP, which to my knowledge are not a documented interface. That is to say,
> you could apply upgrade someday and the cookie names could be changed on
> you.
>  
> (If I'm wrong on that, I'm sure Chad will clarify. This has come up with the
> SP a few times, so I wanted to make a point of it.)


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch