On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: > On 04/28/2015 05:39 PM, Rob Crittenden wrote: > > Dmitri Pal wrote: > >> On 04/28/2015 05:11 PM, Christopher Lamb wrote: > >>> HI All > >>> > >>> I have just tested with the FreeIPA Web UI public demo > >>> https://ipa.demo1.freeipa.org/ipa/ui/ > >>> > >>> Using the public demo, when I log out, I get returned to the login > >>> screen, > >>> as expected. This allows me to log in with a different user. > >>> > >>> With our own installation FreeIPA, from exactly the same browser, I get > >>> logged straight back in to the Web UI - which makes logging out > >>> pointless. > >>> > >>> still confused ... > >> Do you have a kerberos ticket on your local system? > >> Do klist. > >> See which tickets you have. > >> If you have tickets do kdestroy - this will remove the ability to SSO. > >> If you then try to use your IPA server you will have the same experience > >> as with public demo. > > I think this is a question for Petr. On logout one should be directed to > > a page that doesn't require auth so it doesn't renegotiate the connection. > > > > rob > Petr can you reproduce this?
I've seen this in the past on my own IPA domain at home. Perhaps what we should do is to have a logout option that says "log in with a different user" and redirect to anon kerberized page that allows you to do form based login. This would address the case where a domain user wants to log in as admin w/o exiting their user session or destroying there ccache (as that may imply loosing access to email, other company websites, etc...). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project