Comments (7)
My bad: In my tests everything works, even if I neither set LOGOUT_SESSION_KEY nor delete the user session (which should be done by logout?).
Is LOGOUT_SESSION_KEY a protection against still existing Shibboleth sp session in older Shibboleth installations?
For me redirecting to /Shibboleth.sso/Logout?return=%s
(sp SLO endpoint) works perfectly fine and redirects to the IdP SLO endpoint.
That way IdP and SP Shibboleth sessions get deleted / invalidated and I think, that this protection isn't needed in that case.
from django-shibboleth-remoteuser.
does the automated LogoutTest still pass with your changes? It may be that certain configurations work fine without the LOGOUT_SESSION_KEY, but others still need them. I'm not sure.
from django-shibboleth-remoteuser.
No it doesn't.
I'm new to this. But looking at the test code, I think, that the test is incorrect (for my usecase).
If REMOTE_USER is set by the webserver, doesn't that mean, that the shibboleth sp of our service has a valid shibboleth session for the user? In that case relogin would be correct, in my opinion.
In my understanding this is simulated by the LogoutTest, which does the same request for (first) login as for checking the logout.
This brings me back to my question:
Is LOGOUT_SESSION_KEY a protection against still existing Shibboleth sp session in older Shibboleth installations?
If the login shall not work, although all headers are sent correctly, the answer to this question is probably "yes".
In current shibboleth setups with SLO support, it is possible to end the shibboleth sp session and the shibboleth idp session by visiting the sp SLO endpoint, that then redirects to the idp slo endpoint.
from django-shibboleth-remoteuser.
Is LOGOUT_SESSION_KEY a protection against still existing Shibboleth sp session in older Shibboleth installations?
Yes, if I recall correctly. When this was implemented, the support for logout was a bit murky. Seems like things have changed. I agree that deleting the session is cleaner.
from django-shibboleth-remoteuser.
Yes, if I recall correctly. When this was implemented, the support for logout was a bit murky. Seems like things have changed. I agree that deleting the session is cleaner.
No. This was an error of mine. Deleting the session shouldn't help. You either need the "hack" of setting LOGOUT_SESSION_KEY or you don't need anything at all. auth.logout(self.request)
should take care of the django session.
Redirecting to the sp SLO endpoint (via LOGOUT_URL
) takes care of the Shibboleth sessions (sp and idp).
So the only remaining question is: Should all LOGOUT_SESSION_KEY-stuff be removed or are there sites around, that still need this workaround?
from django-shibboleth-remoteuser.
Seems like maybe we can remove the LOGOUT_SESSION_KEY code. The Logout view already logs the user out at the django level, so as long as the redirect url forces Shib re-authentication, we may be OK. It might be a matter of making sure the rights URLs in the app are forces to require a valid Shib session.
@egroeper if you want to submit a PR for this, I'll take a look at it.
from django-shibboleth-remoteuser.
@bcail Done.
from django-shibboleth-remoteuser.
Related Issues (20)
- In Django 1.6.5 get_fields doesn't exists HOT 3
- How is make_profile rewrite working ? HOT 2
- Shibboleth is sending null values when users are connecting which is redirecting to login page HOT 4
- Shibboleth headers not coming back when redirect URL is set HOT 2
- django-shibboleth-remoteuser won't install to virtual environment HOT 2
- Mock Shibboleth Headers HOT 5
- error with Template tags HOT 3
- install old version HOT 1
- Create a new release tag HOT 1
- Incorrect encoding HOT 8
- Problems with Django 2.1 HOT 1
- Stale request HOT 8
- Unknown AssertionConsumerServiceURL Shibboleth.sso/SAML2/POST HOT 2
- Pass request variable to authentication backend HOT 1
- urllib quote library import is incorrect for python 3 HOT 2
- 0.12 release? HOT 1
- Compatible with SP3, server variables? HOT 2
- shibboleth fields with UTF-8 content end up badly encoded via wsgi
- Stop using "url()" in urls.py from Django 4.x compatibility
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-shibboleth-remoteuser.