Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1097

grouper logout management



    • Bug
    • Resolution: Fixed
    • Minor
    • 2.2.1.patch, 2.2.2, 2.3.0
    • 2.2.1
    • UI
    • None


      From: grouper-users-request@internet2.edu grouper-users-request@internet2.edu On Behalf Of Chris Hyzer
      Sent: Wednesday, November 26, 2014 1:24 PM
      To: Eric Cheu; Jeffrey T Eaton
      Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

      This is no different than any other web application. For 2.2.2 I will make sure there is a way to remove specified cookies (that grouper is allowed to delete by domain) by name prefix. Also you will be able to specify a single logout url if your institution has one. Ok? Thanks, Chris

      -------- Original message --------
      From: Eric Cheu
      Date: 11/26/2014 1:16 PM (GMT-05:00)
      To: Jeffrey T Eaton
      Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

      If this is really true, then the wording on the grouper page (or at least our version of grouper, 2.2) is out of date. It says:

      "Note: Your session has been ended, however, it is possible that you are still logged in. The only way to be sure that you have logged out is to close ALL browser windows."
      And might even be a blow to using grouper for certain secure applications, at least for general student use.

      On Wed, Nov 26, 2014 at 12:44 PM, Jeffrey T Eaton wrote:
      It's not as easy as deleting the IDP's cookies. Consider the case where a user starts a browser, and accesses 3 different SPs.

      The user, while interacting with one of the SPs, wants to log out. That SP can destroy its own session state, and redirect to the IDP to delete the session state there, however, there's no currently feasible way to force a logout of the other SPs which may be maintaining their own session.

      So, now the user walks away from the shared computer, and someone else walks up and happens to navigate to one of the SPs where the previous user was logged in, and is already logged in as the other user.

      The only real way to manage single sign on in a shared computer environment is to have something which forcibly resets the browser state, losing all session data for all sites. Used to be that quitting your browser would be sufficient to delete all of the cookies, but even that's becoming less reliable with browsers trying to "helpfully" restore your previous session cookies for you.


      On Nov 25, 2014, at 11:35 AM, Eric Cheu wrote:

      IMO, there should be a way to delete shibboleth browser cookies without actually having to close the browser. I was able to do it manually in firefox by going through the menu system and actually looking for the shibboleth cookies and manually deleting them. That got the desired effect of doing a global IDP logout without having to close the browser. It is a harder sell to use shibboleth for certain applications if logging out of shibboleth is unintuitive for students using shared computers on a network.

      On Wed, Nov 19, 2014 at 11:46 AM, Rob Gorrell wrote:
      I'm not much of an SP guy, so I could use some help here. We currently have the grouperUI set up behind a shibb SP to process authentication into grouper. Works great. However. Looks like the standard logout is to redirect to logout.do which only kills the app session. Is there a way we can tell grouper to additionally redirect to our IDP's logout page so we can perform a logout there as well?


      Robert W. Gorrell
      Systems Architect, Identity and Access Management
      University of NC at Greensboro
      PGP Key ID B36DB0CA




            chris.hyzer@at.internet2.edu Chris Hyzer
            chris.hyzer@at.internet2.edu Chris Hyzer
            0 Vote for this issue
            1 Start watching this issue