Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

Wed, 29 Apr 2015 05:04:55 -0700 

On 04/29/2015 01:42 PM, Christopher Lamb wrote:

HI Petr

thanks.

Can you qualify "has a valid Kerberos Ticket"?

In my case, my user has a valid ticket on the LDAP server, but not on the
OSX workstation from which I am using Firefox / Web UI.
On the OSX workstation, if the user has a non-expired TGT ticket which could be then used to obtain ticket for principal HTTP/myipa.my.domain@MY.REALM (IPA server API - backend of webui). 



Cheers

Chris



From:   Petr Vobornik <pvobo...@redhat.com>
To:     d...@redhat.com, Rob Crittenden <rcrit...@redhat.com>,
             Christopher Lamb/Switzerland/IBM@IBMCH
Cc:     freeipa-users@redhat.com
Date:   29.04.2015 13:27
Subject:        Re: [Freeipa-users] FreeIPA WebUI Logout logs back in



On 04/28/2015 11:53 PM, Dmitri Pal wrote:

On 04/28/2015 05:39 PM, Rob Crittenden wrote:

Dmitri Pal wrote:

On 04/28/2015 05:11 PM, Christopher Lamb wrote:

HI All

I have just tested with the FreeIPA Web UI public demo
https://ipa.demo1.freeipa.org/ipa/ui/

Using the public demo, when I log out, I get returned to the login
screen,
as expected. This allows me to log in with a different user.

With our own installation FreeIPA, from exactly the same browser, I

get

logged straight back in to the Web UI - which makes logging out
pointless.

still confused ...

Do you have a kerberos ticket on your local system?
Do klist.
See which tickets you have.
If you have tickets do kdestroy - this will remove the ability to SSO.
If you then try to use your IPA server you will have the same

experience

as with public demo.

I think this is a question for Petr. On logout one should be directed to
a page that doesn't require auth so it doesn't renegotiate the
connection.

rob

Petr can you reproduce this?



Yes.

User is automatically logged-in back if he has a valid Kerberos ticket.

The reason is that after showing the login form, the whole UI is
reloaded in order to forget everything in the app memory. It then
behaves as normal access and SSO kicks in.

IPA had a logout page but it was removed. One reason was that PatternFly
says that when a session expires(which, in a way, is a logout), user
should be presented with a login page. As we see, with SSO, the behavior
is a little bit different and unexpected.

I've created a new ticket:

https://fedorahosted.org/freeipa/ticket/5008
--
Petr Vobornik







--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to