OO does not kill sessions for ADFS users - after upgrade OO from 10.5.1 to 12.2.7
29 views
Skip to first unread message
Jakub Wasielewski
Feb 14, 2018, 8:58:16 AM2/14/18
to OpenOLAT
Hello community,
We have updated OO from version 10.5.1 to version 12.2.7.
After this update, sessions for users who log in through ADFS are not killed after logging out.
The user, after clicking the "log out" button, is transferred to the login page, but after pressing "back" in the browser, he gets back access to the OO. Also after entering the direct server address, it is automatically logged, even after closing the card.
It is only after closing the entire browser that you need to log in again through ADFS.
In version 10.5.1 everything was working propertly. After log off, session for ADFS user was killed. Also logging in again killed the previous session.
In the new version, you can run two sessions simultaneously. The second does not kill the first one. I've tested it on few computers and browsers.
The problem concerns only users logging in via ADFS. For an standard OLAT user, the logout and kill session process is correct. The ADFS users have no normal accounts in OO.
In olat.local.properties, we have (it was'nt change in updating OO):
session.timeout=300
session.timeoutauthenticated=3600
We don't use LDAP. Only ADFS login for users, and OLAT accounts for administrators.
I would ask for help in solving this problem. What could be the cause of it?
Regards
Jakub Wasielewski
We have updated OO from version 10.5.1 to version 12.2.7.
After this update, sessions for users who log in through ADFS are not killed after logging out.
The user, after clicking the "log out" button, is transferred to the login page, but after pressing "back" in the browser, he gets back access to the OO. Also after entering the direct server address, it is automatically logged, even after closing the card.
It is only after closing the entire browser that you need to log in again through ADFS.
In version 10.5.1 everything was working propertly. After log off, session for ADFS user was killed. Also logging in again killed the previous session.
In the new version, you can run two sessions simultaneously. The second does not kill the first one. I've tested it on few computers and browsers.
The problem concerns only users logging in via ADFS. For an standard OLAT user, the logout and kill session process is correct. The ADFS users have no normal accounts in OO.
In olat.local.properties, we have (it was'nt change in updating OO):
session.timeout=300
session.timeoutauthenticated=3600
We don't use LDAP. Only ADFS login for users, and OLAT accounts for administrators.
I would ask for help in solving this problem. What could be the cause of it?
Regards
Jakub Wasielewski
Florian Gnägi
Feb 14, 2018, 9:24:02 AM2/14/18
to open...@googlegroups.com
Hi Jakub
Hm, we do not experience this problem with other ADFS users so far. Are you sure it behaved differently in 10.5.1? Are you seeing two sessions in the system administration? Can you send me a screenshot of a users with multiple users sessions from the admin menu?
When logging out, OpenOLAT deletes the session. But when your user gets to the login screen, he will be automatically redirected to ADFS where his login session is still valid. Thus, ADFS will not show a login screen but rather redirected the user back to OpenOLAT together with a new authentication token. So, it can look as if the user was never logged out but actually he was logged out and in again with an invisible redirect-roundtrip. But, this would not lead to multiple users sessions.
Cheers,
Florian
--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org
---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix GmbH
Florian Gnägi, Geschäftsführer
Hardturmstrasse 76
CH-8005 Zürich, Switzerland
--------------------------------------------------------------------
Jakub Wasielewski
Feb 14, 2018, 10:18:17 AM2/14/18
to OpenOLAT
Hi Florian,
At the beginning, thank you for the quick answer.
I checked the user sessions again. There is only one session for a given user in the admin menu. And actually OO kills the sessions.
At the same time, I launched three independent sessions on different browsers. Logging in to the next resulted in killing the session in the previous one.
However, the problem remains because you only need to refresh the page to get access to the OO again. Or use the back button in the browser.
On all three browsers, it was enough to refresh the page and the session in a given browser would become active again. On the other two sessions was killed.
I am almost certain that this problem did not occur in the earlier version. However, I can confirm this the earliest tomorrow because the copy of the older version is not currently running and I do not have access to it.
The process of logging into the OO proceeds in the following way - the user logs in to another management system at the university - then clicks on the OO link - OO query the ADFS - after confirming the user that he can enter, obtains a token and opens a new window with the OO platform . Can this refreshing problem be directly related to the lifetime of the token?
After logging out, the user is redirected to https://domain.name.pl/dmz/?lang=en&logout=true. It is a page that normally appears in OO after logging out. The user does not have access to the standard OO login page https://domain.name.pl/dmz/. When it enters it, it is redirected to the information page about the need to log in by another system.
Cheers,
Jakub Wasielewski
At the beginning, thank you for the quick answer.
I checked the user sessions again. There is only one session for a given user in the admin menu. And actually OO kills the sessions.
At the same time, I launched three independent sessions on different browsers. Logging in to the next resulted in killing the session in the previous one.
However, the problem remains because you only need to refresh the page to get access to the OO again. Or use the back button in the browser.
On all three browsers, it was enough to refresh the page and the session in a given browser would become active again. On the other two sessions was killed.
I am almost certain that this problem did not occur in the earlier version. However, I can confirm this the earliest tomorrow because the copy of the older version is not currently running and I do not have access to it.
The process of logging into the OO proceeds in the following way - the user logs in to another management system at the university - then clicks on the OO link - OO query the ADFS - after confirming the user that he can enter, obtains a token and opens a new window with the OO platform . Can this refreshing problem be directly related to the lifetime of the token?
After logging out, the user is redirected to https://domain.name.pl/dmz/?lang=en&logout=true. It is a page that normally appears in OO after logging out. The user does not have access to the standard OO login page https://domain.name.pl/dmz/. When it enters it, it is redirected to the information page about the need to log in by another system.
Cheers,
Jakub Wasielewski
Florian Gnägi
Feb 14, 2018, 10:27:42 AM2/14/18
to open...@googlegroups.com
Hi Jakub
This confirms what I explained and is exactly as designed in a single-sign-on environment. As long as your ADFS session is valid you will have this behaviour. If you close the browser your SSO ADFS session will be deleted, thus you will be logged out entirely.
I don’t think we changed anything there. The problem an only be solved by implementing a special logout page or by closing the window when pressing logout.
Cheers
Florian
Jakub Wasielewski
Feb 14, 2018, 10:39:11 AM2/14/18
to OpenOLAT
Hi Florian,
Thank you again for helping me determine the cause of the problem.
I already know what we have to do.
Cheers,
Jakub Wasielewski
Thank you again for helping me determine the cause of the problem.
I already know what we have to do.
Cheers,
Jakub Wasielewski
Reply all
Reply to author
Forward
0 new messages