siacali edited a comment on issue #455: GUACAMOLE-361: CAS global logout URL: https://github.com/apache/guacamole-client/pull/455#issuecomment-565739333 > I think we should avoid a generic logout redirect URI. The necessary URI for single logout is generally going to be implementation dependent, and the setting would serve as a point of confusion for those cases. There are times where it's necessary to provide a feature as a stopgap to a better solution due to the complexities of the better solution, but I don't think we've reached that point here. > > If single logout is not currently achievable because existing client-side hooks do not provide the needed context, then we should look for a way to provide that context. > > Similar to #346, perhaps a new event (_not_ repurposing `guacLogout`) which is (1) reliably invoked after logout has succeeded and (2) results in reattempting authentication only if `preventDefault()` is not invoked? Does there need to be additional context exposed within such an event about the session which was invalidated? Appreciate that, @mike-jumper - Anything that could give us a reliable way to redirect after logout but before the “reload/reroute” event would do the trick. I don’t think there’s any other context that needs to be exposed, at least not for CAS (@nfantone, do you agree?). How should we go about submitting such a change/some candidate fixes for it (i.e. new Jira or report against some existing ticket)? Just to clarify one other thing for @necouchman and raise this issue to the group, likely the implementation of TicketValidation and how it’s corresponding exception (should it even raise one?) is handled needs to be looked at in the CAS extension. By default in CAS a service ticket is tagged for a lifetime of 10s and 1 use, so it’s not likely that a ticket will ever be “revalidated.” This is based on a global setting on the CAS side, and so will likely not be changed for this app. The only way to “renew” a ticket, AFAIK, is for the browser to visit the CAS system, which will happily reissue a new ST if the user is still logged into the SSO - probably not a welcome behavior in the context of a Guacamole session. Unless someone implements a time limit on Guacamole logins (which I’m not aware of, if it exists), we should probably modify the CAS extension to “never check a ticket if it already validated the one it has.” (Note: I’ve only observed the extension trying to revalidate tickets in the context of a “reload” that doesn’t clean up it’s URL and still includes the ST, so it’s not a “common” problem but still something that it should never usefully try to do, unless we use the exception to logout or redirect back to CAS to get a renewed ticket). Should this be raised as a separate Jira ticket? Lastly, once we get a workable logout solution, I’d like to propose some finer grained controls for this extension: I’d like to offer a setting that enables a mode where users can choose between CAS login and Guacamole login (instead of the only setting option being the current brute redirect to CAS), and a similar setting that could enable a user to choose between SSO logout and Guacamole logout (some might find it useful, others might find it confusing, so a setting to allow the administrator to choose behavior seems appropriate). These would be in the form of additions to the existing functionality that currently simply redirects away to CAS. Any comments or suggestions on these?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
