Problem in Shibboleth logout
Taki NakaMura
Philip Durbin
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/e6e5d1c4-4052-4235-87bb-53dfcfe53a88n%40googlegroups.com.
--
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
James Myers
I’m not sure what the error calling Shibboleth.sso/Logout is, but I don’t think calling it successfully would be enough to fully log you out given the way Shibboleth works.
Shibboleth logout is tricky - as long as you are logged into the IdentityProvider (IdP), you don’t need a password to login again, i.e. both the Service Provider (SP, shibd) and Dataverse session cookies can/will be regenerated without asking the user for their password again. The passive login setting basically automates demonstrating that – if you go to Dataverse, the javascript will try to login automatically (without the user having to hit the login button) and, if the IdP already has you as logged in, you’ll auto-login to Dataverse. (Hence turning passive login off is needed to at least get Dataverse to show the Login button and not just re-login right after you logout.)
One ~confirmation of that: FWIW: At QDR, we’ve successfully managed to create single sign-on and logout with our own IdP (i.e. not a University IdP for someone) between Drupal and Dataverse with some custom code. That code isn’t directly relevant to the standard Dataverse case, but it does show that we have to redirect from logout.xhtml to /idp/profile/Logout and not just to the SP Shibboleth.sso/Logout to avoid a user being able to login again without re-authenticating. Just calling Shibboleth.sso/Logout makes Dataverse logout, and show the login button, but just hitting that button logs you in again without a password. Another key thing about the QDR setup is that, since the IdP is just for QDR, we know that Drupal and Dataverse are the only two apps that can use it. That’s the only reason calling /idp/profile/Logout makes sense – we won’t ever be accidentally logging someone out of another app (or partially logging them out, etc.( see https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645229/SLOIssues) .
Given that the main use case for Shib appears to be to use institutional IdPs, logging out at the IdP, which is the only way other than having the user close their browser to avoid being able to login to Dataverse again without a password, is problematic as it can affect anything else the user has logged into via that IdP (as Danny notes the issue #6934). Other than doing something simple like popping up a message to remind people that they must logout of their Shib IdP to be secure, I don’t think there’s much Dataverse can do (at least in a generic sense) to do a better job at logout that doesn’t involve messing up other apps. Hopefully universities are basically telling users the same thing – i.e. to logout of your overall Shib session and/or close your browser when done that convey the same message.
Hope that’s helpful and not just confusing…
-- Jim
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CABbxx8GMum3MB7hYTqDzLmOmeMfE_5Cw8Se6RBOjstBqMpF8xw%40mail.gmail.com.