[
https://issues.apache.org/jira/browse/GUACAMOLE-680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Jumper closed GUACAMOLE-680.
---------------------------------
Resolution: Done
> Ensure logout works as expected when using SSO
> ----------------------------------------------
>
> Key: GUACAMOLE-680
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-680
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole
> Reporter: Nick Couchman
> Assignee: Mike Jumper
> Priority: Minor
> Fix For: 1.4.0
>
> Attachments: you-have-been-logged-out.png
>
>
> Guacamole's current logout behavior can be problematic when Guacamole is
> configured for SSO (via SAML, CAS, OpenID, etc.):
> * A reauthentication attempt is made automatically after logout. For non-SSO
> authentication methods, this results in a login screen prompting for the
> credentials requested by the authentication failure. For SSO, this
> reauthentication attempt is often simply successful (the user is still signed
> in with the IdP), with logout then appearing as if it had no effect.
> * For single logout to be implemented (GUACAMOLE-361, GUACAMOLE-519,
> GUACAMOLE-1266), the client side of the web application may need to reach out
> to the IdP to handle the non-Guacamole part of the logout process. This
> cannot occur if the client side of the webapp has already reset its own state
> in order to force reauthentication.
> Rather than immediately reset state and reauthenticate, Guacamole should
> simply clean up the current session and notify the user that logout was
> successful. This avoids the issue where users are immediately signed back in
> via their IdP, and allows for future single logout implementations to rely on
> being able to hook into the logout process on the client side.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
