Problems with GENI portal login

[Fraida Fund]

I have two (presumably related) issues with the GENI portal:

1) First problem - can't change identity provider after trying one that doesn't work

Step 1: Try to log in to GENI portal with an InCommon provider that isn't supported

Step 2: Get error message:  "We're sorry, but you cannot access GENI Experimenter Portal at this time.

Step 3: Return to portal.geni.net and click "Use GENI"

Now I am sent straight back to the error page without a chance to select another identity provider. 

 

1) Second problem - "Logout" on the portal doesn't really log out

Step 1: Click "Logout" on the GENI portal, I am returned to https://portal.geni.net/

Step 2: Click "Use GENI" and choose account provider (GPO is my account provider)

At this point I am sent directly to https://portal.geni.net/secure/home.php without having to re-enter my username and password. 

Any advice would be much appreciated. Thanks,

Fraida Fund

[Divyashri Bhat]

Hi,

The second problem that Fraida had, I just run into this morning as well. It does time out after a few minutes and I can log back in but clicking on "Logout" does not log me out.

--
GENI Users is a community supported mailing list, so please help by responding to questions you know the answer to.
 
If this is your first time posting a question to this list, please review http://groups.geni.net/geni/wiki/GENIExperimenter/CommunityMailingList
---
You received this message because you are subscribed to the Google Groups "GENI Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to geni-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Regards,

Divyashri Bhat

Graduate Student

University of Massachusetts, Amherst

E-mail: divyash...@gmail.com

[tmit...@bbn.com]

Hi Divya and Fraida,

I can explain the Logout issue, so I'll start there. You're logging out of the Portal, but not out of your Identity Provider. On the portal side when you click logout we do some clean up, clear some cached items, and close the HTTP session. But that's as much as we can really do. It's not friendly for us to cause your Identity Provider session to be disconnected because you may have used the IdP to authenticate to other services like campus email. So we can disconnect you from our site, but can't really force your identity provider to log you out and require you to re-authenticate.

On your first problem Fraida, I haven't seen that situation. When you click the Use GENI button you should be presented with a "discovery service" which asks you to pick your identity provider. I'm surprised that this step is sometimes skipped and don't know what would cause that to happen.

During development we sometimes have to force a full logout from the Portal and the IdP. To do that we clear all the cookies from the portal host (portal.geni.net) and from the identity provider host (an internal one for us). You could try that to force a full logout if you're still having trouble.

Good luck!

Tom

[Fraida Fund]

I see, 

Every other InCommon service I use logs out of my identity when I click "Logout." I don't think it's at all obvious to users that when they click "Logout" on the portal, they haven't actually been logged out of their identity provider and the next user (e.g. of a shared lab computer) will be able to use their identity (not only on GENI portal, but on all sites that use their InCommon ID). Perhaps instead of redirecting to https://portal.geni.net/ after logout, you can show a message to that effect, ideally with a link to the IdP logout URL so users can fully logout if that's what they want to do.

On a more practical note, since my (and all of my students') identity provider is the GPO, how would I go about logging out fully? Are all users whose accounts are provided by the GPO expected to mess with browser cookies in order to log out, or is there a URL they can visit?

 
I checked whether my first problem (not offered "discovery service" after trying to use an identity provider that isn't supported) is resolved if I log out of the failed identity provider before visiting the portal again. It isn't.

Thanks,

Fraida 

[Hussamuddin Nasir]

A simple method is to just close the browser and restart the browser. Normally IDP sessions expire once the browser is closed.

cheers,

Hussam
(Hussamuddin Nasir)

Netlab Operations Team 

-------------------------------------------------------------------
Laboratory for Adv. Networking  Phone  : (859)218-0059
James F Hardymon Building       Fax    : (859)323-3740
301 Rose Street, Rm 237         E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495        Web    : http://www.netlab.uky.edu

                        University of Kentucky
                        **********************
------------------------------------------------------------------- 

--

[Fraida Fund]

Thanks. I'd rather not lose my open browser tabs and other unsaved information in my browser, though.

I found that visiting https://portal.geni.net/Shibboleth.sso/Logout will log me out of my GPO identity (at least, for purposes of forcing me to re-login to the portal).  I haven't seen this URL publicized anywhere, though, so I'm not sure the average user could find this out. 

Again, it would probably be more useful to display something like:

"Although you have logged out of the GENI portal, you may still have valid sessions that can enable your browser to log into other applications automatically using your identity provider's single sign-on technology. To log out of your identity provider, please visit <iDp Logout URL>."

instead of just 

"You logged out the GENI portal"

when a user clicks "Logout."

Thanks,

Fraida

[Fraida Fund]

Hmm, just kidding. The URL I found doesn't really fully log me out of the GPO identity.

Still looking for a way to log out of GPO identity without closing the browser or deleting cookies.

[Aaron Helsinger]

The GPO Identity Provider does not currently provide a way to log out. It is something we can look in to.

In general, different Identity Providers will have different approaches to logout - whether it is supported and where.

If your browser supports selectively deleting cookies, then you can:

1) Click Logout at the top of the portal

2) Delete cookies set by shib-idp.geni.net (there should be 2)

  EG in Chrome, navigate to chrome://settings/cookies

    In Firefox, go to Settings/Preferences-> Privacy - > Show Cookies

    From there use the search box to find the GPO IdP. You can then selectively delete these cookies.

That will log you out of the GPO IdP.

Aaron

[Fraida Fund]

Ok, I understand. I guess since most of the InCommon services I used are within my university system, I am used to them being aware of the university's logout procedure and pointing me to it when I log out of the service. Since I'm probably not the only one used to this kind of behavior, I think a more informative logout notice in the portal would be helpful. And I do think it would be useful for the GPO identity provider to have a logout URL.

Regarding issue #1:  it looks like the GENI portal sends me straight to my portal home when I click "Use GENI" (without offering me a choice of identity providers) if there is an active portal.geni.net session. If I log into an identity provider that doesn't work with the GENI portal, the portal starts a session for me  (which I verified by visiting https://portal.geni.net/Shibboleth.sso/Session). Therefore when I use portal.geni.net again, it tries to use my existing session with the incompatible identity provider and sends me straight back to the error page. 

Thanks,

Fraida

[Aaron Helsinger]

Fraida-

You are correct. I'm going to add a more informative message after you click 'Log out', and see if we can add a GPO IdP log out. The better message should get fixed next week, the IdP log out may take a little longer.

Your analysis of what happens when you click 'Use GENI' is correct. You are also correct that it would be better if the Portal logged you out before redirecting you to that error page when you use an Identity Provider that doesn't share enough information with the Portal, so you can pick a different Identity Provider (like the GPO IdP). This too should be fixed next week.

Thank you for your testing and your patience.

Aaron