[
https://issues.apache.org/jira/browse/GUACAMOLE-680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Jumper updated GUACAMOLE-680:
----------------------------------
Description:
Guacamole's current logout behavior can be problematic when Guacamole is
configured for SSO (via SAML, CAS, OpenID, etc.):
* A reauthentication attempt is made automatically after logout. For non-SSO
authentication methods, this results in a login screen prompting for the
credentials requested by the authentication failure. For SSO, this
reauthentication attempt is often simply successful (the user is still signed
in with the IdP), with logout then appearing as if it had no effect.
* For single logout to be implemented (GUACAMOLE-361, GUACAMOLE-519,
GUACAMOLE-1266), the client side of the web application may need to reach out
to the IdP to handle the non-Guacamole part of the logout process. This cannot
occur if the client side of the webapp has already reset its own state in order
to force reauthentication.
Rather than immediately reset state and reauthenticate, Guacamole should simply
clean up the current session and notify the user that logout was successful.
This avoids the issue where users are immediately signed back in via their IdP,
and allows for future single logout implementations to rely on being able to
hook into the logout process on the client side.
was:Rearrange how the AngularJS application handles logouts, firing a warning
event before the logout occurs and then one after the logout (token deletion)
has happened. This is to prep for changes that will allow Single-Sign
Out/Single Log-out to happen correctly.
> Ensure logout works as expected when using SSO
> ----------------------------------------------
>
> Key: GUACAMOLE-680
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-680
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-client
> Reporter: Nick Couchman
> Priority: Minor
> Fix For: 1.4.0
>
>
> Guacamole's current logout behavior can be problematic when Guacamole is
> configured for SSO (via SAML, CAS, OpenID, etc.):
> * A reauthentication attempt is made automatically after logout. For non-SSO
> authentication methods, this results in a login screen prompting for the
> credentials requested by the authentication failure. For SSO, this
> reauthentication attempt is often simply successful (the user is still signed
> in with the IdP), with logout then appearing as if it had no effect.
> * For single logout to be implemented (GUACAMOLE-361, GUACAMOLE-519,
> GUACAMOLE-1266), the client side of the web application may need to reach out
> to the IdP to handle the non-Guacamole part of the logout process. This
> cannot occur if the client side of the webapp has already reset its own state
> in order to force reauthentication.
> Rather than immediately reset state and reauthenticate, Guacamole should
> simply clean up the current session and notify the user that logout was
> successful. This avoids the issue where users are immediately signed back in
> via their IdP, and allows for future single logout implementations to rely on
> being able to hook into the logout process on the client side.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
