On 29.4.2015 13:26, Petr Vobornik wrote:
> On 04/28/2015 11:53 PM, Dmitri Pal wrote:
>> On 04/28/2015 05:39 PM, Rob Crittenden wrote:
>>> Dmitri Pal wrote:
>>>> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
>>>>> HI All
>>>>> I have just tested with the FreeIPA Web UI public demo
>>>>> Using the public demo, when I log out, I get returned to the login
>>>>> as expected. This allows me to log in with a different user.
>>>>> With our own installation FreeIPA, from exactly the same browser, I get
>>>>> logged straight back in to the Web UI - which makes logging out
>>>>> still confused ...
>>>> Do you have a kerberos ticket on your local system?
>>>> Do klist.
>>>> See which tickets you have.
>>>> If you have tickets do kdestroy - this will remove the ability to SSO.
>>>> If you then try to use your IPA server you will have the same experience
>>>> as with public demo.
>>> I think this is a question for Petr. On logout one should be directed to
>>> a page that doesn't require auth so it doesn't renegotiate the
>> Petr can you reproduce this?
> User is automatically logged-in back if he has a valid Kerberos ticket.
> The reason is that after showing the login form, the whole UI is reloaded in
> order to forget everything in the app memory. It then behaves as normal access
> and SSO kicks in.
> IPA had a logout page but it was removed. One reason was that PatternFly says
> that when a session expires(which, in a way, is a logout), user should be
> presented with a login page. As we see, with SSO, the behavior is a little bit
> different and unexpected.
> I've created a new ticket:
I guess that we could have a cookie with meaning 'auto-login disabled' for
Maybe it could have very short expiration (1 minute?) so it actually kicks in
only for the one attempt. Or it could be automatically removed after each
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project