Gerrit SAML logout does not work
263 views
Skip to first unread message
Sachidanand Patil
Nov 4, 2021, 8:15:51 AM11/4/21
to Repo and Gerrit Discussion
Hi,
We have integrated our Gerrit with Azure AD using SAML plugin. Everything works as expected except logout. When I click on sign-out and its sign in again without entering credentials.
Can you please help me to understand how can I fix this issue.
Expectation: On click on sign out existing user should get logged out.
[auth]
type = HTTP
logoutUrl = https://mygerrit.com/logout
httpHeader = X-SAML-UserName
httpDisplaynameHeader = X-SAML-DisplayName
httpEmailHeader = X-SAML-EmailHeader
httpExternalIdHeader = X-SAML-ExternalId
[saml]
keystorePath = /path/samlKeystore.jks
keystorePassword = *********
privateKeyPassword = *******
serviceProviderEntityId = https://sts.windows.net/81f*********/
identityProviderEntityId = https://sts.windows.net/81f*********/
useNameQualifier = false
memberOfAttr = Groups
userNameAttr = UserName
#emailAddressAttr = EmailAddress
#Here we set Gerrit limit to 2 days. In Azure AD this is set to every 1 day to give some margin.
maxAuthLifetime = 172800
Thanks & regards,
Sachi
tech....@gmail.com
Apr 27, 2022, 6:18:06 AM4/27/22
to Repo and Gerrit Discussion
Hi Team,
We are also facing the same issue. the logout URL not working and actually, it never logs out.
Luca Milanesio
Apr 27, 2022, 8:12:26 AM4/27/22
to Repo and Gerrit Discussion, Luca Milanesio, tech....@gmail.com
On 27 Apr 2022, at 11:18, tech....@gmail.com <tech....@gmail.com> wrote:Hi Team,We are also facing the same issue. the logout URL not working and actually, it never logs out.
Gerrit doesn’t allow a logged out experience when using SAML, OAuth or other external authentication systems.
Once you try to logout, you’ll be logged in immediately.
Luca.
Andrew Grimberg
Apr 27, 2022, 1:01:10 PM4/27/22
to Luca Milanesio, Repo and Gerrit Discussion, tech....@gmail.com
This works just fine for our Gerrit instances that have some sort of
anonymous access defined.
In our setup we don't set the logoutUrl for anything, so we're just
using the native Gerrit logout. I can only assume that someone setting
the logoutUrl is hoping to have a global SAML logout?
-Andy-
On 4/27/22 05:12, Luca Milanesio wrote:
>
>
>> On 27 Apr 2022, at 11:18, tech....@gmail.com <http://gmail.com>
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
> <http://groups.google.com/group/repo-discuss?hl=en>
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to repo-discuss...@googlegroups.com
> <mailto:repo-discuss...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/repo-discuss/79BC8E8C-A2DC-4625-B599-D88CA10072DF%40gmail.com
> <https://groups.google.com/d/msgid/repo-discuss/79BC8E8C-A2DC-4625-B599-D88CA10072DF%40gmail.com?utm_medium=email&utm_source=footer>.
anonymous access defined.
In our setup we don't set the logoutUrl for anything, so we're just
using the native Gerrit logout. I can only assume that someone setting
the logoutUrl is hoping to have a global SAML logout?
-Andy-
On 4/27/22 05:12, Luca Milanesio wrote:
>
>
>> On 27 Apr 2022, at 11:18, tech....@gmail.com <http://gmail.com>
>> <tech....@gmail.com <mailto:tech....@gmail.com>> wrote:
>>
>> Hi Team,
>>
>> We are also facing the same issue. the logout URL not working and
>> actually, it never logs out.
>
> Gerrit doesn’t allow a logged out experience when using SAML, OAuth or
> other external authentication systems.
> Once you try to logout, you’ll be logged in immediately.
>
> Luca.
>
> --
>>
>> Hi Team,
>>
>> We are also facing the same issue. the logout URL not working and
>> actually, it never logs out.
>
> Gerrit doesn’t allow a logged out experience when using SAML, OAuth or
> other external authentication systems.
> Once you try to logout, you’ll be logged in immediately.
>
> Luca.
>
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
> <http://groups.google.com/group/repo-discuss?hl=en>
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to repo-discuss...@googlegroups.com
> <mailto:repo-discuss...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/repo-discuss/79BC8E8C-A2DC-4625-B599-D88CA10072DF%40gmail.com
> <https://groups.google.com/d/msgid/repo-discuss/79BC8E8C-A2DC-4625-B599-D88CA10072DF%40gmail.com?utm_medium=email&utm_source=footer>.
Luca Milanesio
Apr 27, 2022, 3:52:15 PM4/27/22
to Repo and Gerrit Discussion, Luca Milanesio, tech....@gmail.com, Andrew Grimberg
On 27 Apr 2022, at 18:01, Andrew Grimberg <grim...@gmail.com> wrote:This works just fine for our Gerrit instances that have some sort of anonymous access defined.
In our setup we don't set the logoutUrl for anything, so we're just using the native Gerrit logout. I can only assume that someone setting the logoutUrl is hoping to have a global SAML logout?
Sure, but then you just configure the Gerrit logout to point somewhere else :-)
That wouldn’t be IMHO aligned with the user-experience of just logging out of Gerrit though.
At GerritHub.io, we managed to give an anonymous experience also, because of the way the GitHub plugin works, at HTTP servlet filter level.
When you logout from Gerrit, you just logout from Gerrit, not from your GitHub account.
Luca.
Reply all
Reply to author
Forward
0 new messages