https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30444
--- Comment #21 from David Cook <[email protected]> --- (In reply to David Cook from comment #20) > I'm waiting on some client requirements for SAML SSO in SCO, and when I get > those I should be able to provide more useful feedback/assistance as well. I've heard back and their requirement is to use SAML SSO for SCO when the SCO is a dedicated physical terminal in the library. I'm going to see if they can do LDAP instead as it'll be more straightforward, but here's my thought for a physical terminal SCO: 1. Go to SCO landing page 2. Click button to trigger SSO login 3. Redirect to SSO IdP 4. Login to SSO IdP 5. Redirect back to Koha SCO 6. Create Koha SCO session using the JWT 7. Redirect back to SSO IdP for logout 8. Redirect back to Koha SCO to proceed with JWT It's a multi-hop process, but it could be smooth unless the SSO IdP has a prompt for the logout. I have less experience with SAML than OpenID Connect. With OIDC, you redirect to a logout URL with a post_logout_redirect_uri, and it returns you to Koha without the user really being any the wiser. The alternative would be redirecting to the SSO IdP for logout when clicking "Finish" or during a SCO timeout but... that seems more error prone to me. Someone might step away and not fully logout and then someone else has access to their authenticated session from a dedicated physical terminal... -- Less of an issue of course if they're doing the self-checkout from their own device online. That's why I'm thinking we might need some way of differentiating the two scenarios... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
