[jira] [Reopened] (GUACAMOLE-680) Ensure logout works as expected when using SSO

Fri, 10 Dec 2021 23:36:29 -0800 


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mike Jumper reopened GUACAMOLE-680:
-----------------------------------

The current "Re-login" button preserves the URL state at the time of logout, 
which can be confusing if logging out to switch accounts. It's probably worth 
altering the behavior of the button to reset things back to {{/}} when clicked.

> Ensure logout works as expected when using SSO
> ----------------------------------------------
>
>                 Key: GUACAMOLE-680
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-680
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole
>            Reporter: Nick Couchman
>            Assignee: Mike Jumper
>            Priority: Minor
>             Fix For: 1.4.0
>
>         Attachments: you-have-been-logged-out.png
>
>
> Guacamole's current logout behavior can be problematic when Guacamole is 
> configured for SSO (via SAML, CAS, OpenID, etc.):
> * A reauthentication attempt is made automatically after logout. For non-SSO 
> authentication methods, this results in a login screen prompting for the 
> credentials requested by the authentication failure. For SSO, this 
> reauthentication attempt is often simply successful (the user is still signed 
> in with the IdP), with logout then appearing as if it had no effect.
> * For single logout to be implemented (GUACAMOLE-361, GUACAMOLE-519, 
> GUACAMOLE-1266), the client side of the web application may need to reach out 
> to the IdP to handle the non-Guacamole part of the logout process. This 
> cannot occur if the client side of the webapp has already reset its own state 
> in order to force reauthentication.
> Rather than immediately reset state and reauthenticate, Guacamole should 
> simply clean up the current session and notify the user that logout was 
> successful. This avoids the issue where users are immediately signed back in 
> via their IdP, and allows for future single logout implementations to rely on 
> being able to hook into the logout process on the client side.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to