Logout Problem

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Logout Problem

Daniele Russo
Hi,I am new in Shibboleth.
My installation works fine, but when I logout and relogin, the SP doesn't change the attribute value in the header, in particular the value of "REMOTE_USER".
I use local logout in a intranet application.

    <StorageService type="ODBC" id="db" cleanupInterval="900">
        <ConnectionString>
        DSN=B_10.0.0.42;DBQ=B_10.0.0.42;UID=ADMINTERFACE;PWD=ADMINTERFACE
        </ConnectionString>
    </StorageService>
    <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
    <ReplayCache StorageService="db"/>
    <ArtifactMap StorageService="db" artifactTTL="180"/>

    <ApplicationDefaults id="default" policyId="default"
        entityID="https://intranetsv.inarcassa.it/shibboleth"
        homeURL="https://intranetsv.inarcassa.it/index.html"
        REMOTE_USER="cn"
        signing="false" encryption="false"


        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
            handlerURL="/Shibboleth.sso" handlerSSL="false"
            exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
            idpHistory="false" idpHistoryDays="7">

            <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
                <!--LogoutInitiator type="SAML2" template="bindingTemplate.html"/-->
                <LogoutInitiator type="Local"/>
            </LogoutInitiator>

Can you help me?
Reply | Threaded
Open this post in threaded view
|

Re: Logout Problem

Chad La Joie
I'm not sure why it would change.  The local logout would run,
destroying the session.  The next time you hit a page you'd go back to
the IdP, get the same session (since the IdP doesn't support SLO yet)
and end up back at the SP.  It seems pretty likely that whatever is
being mapped to the REMOTE_USER would have the same value both times.

Do you know for certain this information is changing on the IdP side?

Daniele Russo wrote:

> Hi,I am new in Shibboleth.
> My installation works fine, but when I logout and relogin, the SP doesn't
> change the attribute value in the header, in particular the value of
> "REMOTE_USER".
> I use local logout in a intranet application.
>
>     <StorageService type="ODBC" id="db" cleanupInterval="900">
>         <ConnectionString>
>         DSN=B_10.0.0.42;DBQ=B_10.0.0.42;UID=ADMINTERFACE;PWD=ADMINTERFACE
>         </ConnectionString>
>     </StorageService>
>     <SessionCache type="StorageService" StorageService="db"
> cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
>     <ReplayCache StorageService="db"/>
>     <ArtifactMap StorageService="db" artifactTTL="180"/>
>
>     <ApplicationDefaults id="default" policyId="default"
>         entityID="https://intranetsv.inarcassa.it/shibboleth"
>         homeURL="https://intranetsv.inarcassa.it/index.html"
>         REMOTE_USER="cn"
>         signing="false" encryption="false"
>
>
>         <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>             handlerURL="/Shibboleth.sso" handlerSSL="false"
>             exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
>             idpHistory="false" idpHistoryDays="7">
>
>             <LogoutInitiator type="Chaining" Location="/Logout"
> relayState="cookie">
>                 <!--LogoutInitiator type="SAML2"
> template="bindingTemplate.html"/-->
>                 <LogoutInitiator type="Local"/>
>             </LogoutInitiator>
>
> Can you help me?
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Logout Problem

Daniele Russo
If I close the browser, the headers are rewritten!
I think that the "SP" doesn't update this attributes if they be sets!

thanks

2009/1/12 Chad La Joie <[hidden email]>
I'm not sure why it would change.  The local logout would run,
destroying the session.  The next time you hit a page you'd go back to
the IdP, get the same session (since the IdP doesn't support SLO yet)
and end up back at the SP.  It seems pretty likely that whatever is
being mapped to the REMOTE_USER would have the same value both times.

Do you know for certain this information is changing on the IdP side?

Daniele Russo wrote:
> Hi,I am new in Shibboleth.
> My installation works fine, but when I logout and relogin, the SP doesn't
> change the attribute value in the header, in particular the value of
> "REMOTE_USER".
> I use local logout in a intranet application.
>
>     <StorageService type="ODBC" id="db" cleanupInterval="900">
>         <ConnectionString>
>         DSN=B_10.0.0.42;DBQ=B_10.0.0.42;UID=ADMINTERFACE;PWD=ADMINTERFACE
>         </ConnectionString>
>     </StorageService>
>     <SessionCache type="StorageService" StorageService="db"
> cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
>     <ReplayCache StorageService="db"/>
>     <ArtifactMap StorageService="db" artifactTTL="180"/>
>
>     <ApplicationDefaults id="default" policyId="default"
>         entityID="https://intranetsv.inarcassa.it/shibboleth"
>         homeURL="https://intranetsv.inarcassa.it/index.html"
>         REMOTE_USER="cn"
>         signing="false" encryption="false"
>
>
>         <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>             handlerURL="/Shibboleth.sso" handlerSSL="false"
>             exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
>             idpHistory="false" idpHistoryDays="7">
>
>             <LogoutInitiator type="Chaining" Location="/Logout"
> relayState="cookie">
>                 <!--LogoutInitiator type="SAML2"
> template="bindingTemplate.html"/-->
>                 <LogoutInitiator type="Local"/>
>             </LogoutInitiator>
>
> Can you help me?
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch


Reply | Threaded
Open this post in threaded view
|

WANTED - Someone who can chat to me about shib2 on sles10

Mike Barton
Hi,
I am going in circles here and need to exchange 1 to 1 email or IM with someone who has done this and can explain why every time I follow some forum advice it breaks what I have done so far.
Frustrating is putting it mildly.
I need to get this supposedly simple installation finished and done but ,,,,, argggggg

Build is SLES10SP2, with default Apache 2, Tomcat 6, jdk1.0.6 and Shib 2.0.
Regards,
Mike

Reply | Threaded
Open this post in threaded view
|

RE: Logout Problem

Cantor, Scott E.
In reply to this post by Daniele Russo
> If I close the browser, the headers are rewritten!
> I think that the "SP" doesn't update this attributes if they be sets!

You're incorrect. REMOTE_USER cannot be set anyway other than the same way
headers are created, and is even more difficult to "accidentally" set.

All you have to do is trace the attribute set it's caching and analyze the
settings you're using. If you're using "cn" as REMOTE_USER, which of course
is a bad choice anyway, than I promise you the value of cn isn't changing.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: WANTED - Someone who can chat to me about shib2 on sles10

Christopher M. Coballes
In reply to this post by Mike Barton
Hi Mike,

Please give me your ID(mail),I am going to give a simple tutorials and please
have some comments to improve this

I hope it could help you.

Thanks

Christopher M. Coballes
Manila ,Philippines

On Mon, Jan 12, 2009 at 7:32 AM, Mike Barton <[hidden email]> wrote:
Hi,
I am going in circles here and need to exchange 1 to 1 email or IM with someone who has done this and can explain why every time I follow some forum advice it breaks what I have done so far.
Frustrating is putting it mildly.
I need to get this supposedly simple installation finished and done but ,,,,, argggggg

Build is SLES10SP2, with default Apache 2, Tomcat 6, jdk1.0.6 and Shib 2.0.
Regards,
Mike


Reply | Threaded
Open this post in threaded view
|

Re: WANTED - Someone who can chat to me about shib2 on sles10

Peter Schober
Christopher,

* Christopher M. Coballes <[hidden email]> [2009-01-13 02:32]:
> Please give me your ID(mail),I am going to give a simple tutorials and
> please
> have some comments to improve this

His email address is part of the message you replied to.

And the tutorial you refer to (which you also sent to me for some
reason) won't help Mike with diagnosing the specific problem he's
having. Only looking at the log files and asking questions about
anything unclear will.

Cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: WANTED - Someone who can chat to me about shib2 on sles10

Christopher M. Coballes


On Tue, Jan 13, 2009 at 3:34 AM, Peter Schober <[hidden email]> wrote:
Christopher,

* Christopher M. Coballes <[hidden email]> [2009-01-13 02:32]:
> Please give me your ID(mail),I am going to give a simple tutorials and
> please
> have some comments to improve this

His email address is part of the message you replied to.

And the tutorial you refer to (which you also sent to me for some
reason) won't help Mike with diagnosing the specific problem he's
having. Only looking at the log files and asking questions about
anything unclear will.

Hi Sir Peter,

What I can offer to Mr. Mike is a simple working model and what I have there  includes the log files (SP<->IdP),so that he could compare because what I knew is.. for simple installations(oh my GOD.)

IdP
access.log
error.log
etc....log
SP
shibd.log
transaction.log
etc...log

By the way Sir May I ask a favor  for some comment of the simple tutorials( I will have
next a Linux & OS simple federations).

Thanks Sir Peter.

Christopher M. Coballes
Manila,Philippines
 


Cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140