Re: [Koha-devel] SelfCheckoutByLogin

2024-04-16 Thread long_sam.tw via Koha-devel 
 Hi, David 

I also found that there is no Google Openid Oauth2 login authentication 
mechanism in the staff. Google Openid Oauth2 authentication is not used in the 
background, why?
With respect, long_sam


在 2024年4月15日 星期一 下午08:45:20 [GMT+8], long_sam.tw via 
Koha-devel 寫道:  
 
 ___
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
   Hi, David 
I found the AWS SAML SSO logout example.
SAML sign-out flow - Amazon Cognito



SAML SSO logout IDP, security issues.

When logging out of a SAML SSO IDP (Identity Provider), there are several 
security considerations to keep in mind:

1. Single Logout (SLO) Support: Ensure that your IDP supports Single Logout 
functionality, which logs the user out from all related Service Providers (SPs) 
when they log out from one, maintaining session consistency and security.

2. Logout Request Validation: When the IDP receives a logout request from an 
SP, it must validate the request to prevent malicious requests or Cross-Site 
Request Forgery (CSRF) attacks. Validation can be achieved through digital 
signatures or other secure mechanisms.

3. Security of Callback URLs: Ensure that the callback URLs used during logout 
are secure, avoiding the use of vulnerable or unauthorized URLs.

4. Session Management: Ensure that the IDP correctly terminates relevant 
sessions and clears user authentication information and session data upon 
logout to prevent session hijacking or replay attacks.

5. Security Event Monitoring: Establish monitoring mechanisms for logout 
operations and related session management events to promptly detect abnormal 
behavior or security incidents and take necessary response measures.

6. Security Auditing and Logging: Conduct thorough auditing and logging of 
logout operations and related security events to facilitate audit 
investigations or security incident tracing when needed.

7. Integration with Other Security Mechanisms: Integrate the logout 
functionality of SAML SSO with other security mechanisms such as Multi-Factor 
Authentication (MFA), Access Control Lists (ACLs), etc., to enhance the overall 
security of the system.

8. Regular Security Assessments: Conduct regular security assessments and 
vulnerability scans of the SAML SSO logout process, and promptly address any 
identified security issues to ensure the security and stability of the system.

In summary, logging out of a SAML SSO IDP requires attention to ensuring Single 
Logout support, secure logout request validation, security of callback URLs, 
proper session management, security event monitoring and response, auditing and 
logging, integration with other security mechanisms, and regular security 
assessments and vulnerability fixes.
With respect, long_sam
在 2024年4月15日 星期一 下午03:11:14 [GMT+8], David Cook via 
Koha-devel 寫道:  
 
 
Part of the reason is that it’s considerably more complicated and error-prone. 

  

If you log in using Google OpenID Connect, the self-checkout browser will 
retain your Google user session beyond your Koha self-checkout user session. 
Also, when Koha goes back to Google to authenticate someone else, it will 
auto-detect that you’re still logged in, and use your account instead. 

  

In theory, we could do a back channel logout against Google (or whatever other 
OpenID Connect identity provider), but if that failed to run for whatever 
reason you’re risking someone else at a public terminal accessing your personal 
Google account.

  

SAML doesn’t even have options for back channel logout, which makes it not an 
option at all. 

  

If someone can think of a really good way of making this work, I’d be happy to 
discuss it further, but I can’t think of a safe way to do this on a public 
terminal at the moment.

  

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

  

Office: 02 9212 0899

Online: 02 8005 0595

  

From: Koha-devel  On Behalf Of 
Katrin Fischer via Koha-devel
Sent: Monday, 15 April 2024 6:29 AM
To: koha-devel@lists.koha-community.org
Subject: Re: [Koha-devel] SelfCheckoutByLogin

  

Hi,

I think there is probably no specific reason, it's just not been developed yet.

As a next step you could search Bugzilla 
(https://bugs.koha-community.org/bugzilla3/) for any related bugs. If there is 
no existing report yet, you could file a new enhancement request.

Hope this helps,

Katrin

On 12.04.24 23:49, long_sam.tw via Koha-devel wrote:


Hi, all

  

Koha SelfCheckoutByLogin 

  

https://koha-community.org/manual/latest/en/html/circulationpreferences.html#selfcheckoutbylogin

  

  

I found that only local account authentication and cardnumber are supported, 
but other authentication methods are not supported,

such as google

Re: [Koha-devel] SelfCheckoutByLogin

2024-04-16 Thread David Cook via Koha-devel 
Hi long_sam,

 

Thanks for your reply. You’re right; SAML does have single log out 
functionality.  However, from my understanding it’s a “front-channel logout” 
mechanism that requires the redirecting of the user in the browser.

 

With OpenID Connect, the “back-channel logout” is a request sent from the 
server to the IdP without needing to redirect the user in the browser. As far 
as I know, SAML doesn’t have “back-channel logout” functionality. 

 

That being said, I suppose there’s no reason you couldn’t do a front-channel 
logout. In fact, that might be preferable, because then the user would know 
that they’ve been logged out of the Identity Provider (or that there was some 
failure to logout, so they could take manual steps to end their SSO session).

 

--

 

I like the idea of being able to use credentials from a centralized Identity 
Provider to log into the self-checkout, but personally I wouldn’t want to use 
SSO on a shared system that could potentially leave my SSO session open beyond 
my interactions with the self-checkout. And I’m a tech-savvy user. I fear for 
users who are not tech-savvy. 

 

Another technical detail. At the moment, Koha is set up to allow SAML or OpenID 
Connect for creating authenticated user sessions. In the case of the 
self-checkout, the actual user session belongs to a self-checkout user. When 
you put in your cardnumber or username/password, you’re not actually creating a 
new user session. You’re really just authorizing the self-checkout user to work 
with your account. So the existing code for the SAML/OpenID Connect can’t be 
easily re-used I think. We’d need totally different implementations just for 
the self-checkout. (I suppose one option would be to allow SSO login, confirm 
the authenticated session, and then immediately do a SLO (single log out) from 
the IdP to help reduce the time the SSO session exists.)

 

--

 

So overall… there are ways of doing it. A few of us discussed it at 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30444 but ultimately 
no one decided to pursue it. 

 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30979 provided a 
method for allowing OPAC users to checkout to themselves, so you’d login as the 
OPAC user (using SSO) and then checkout to yourself. I think the idea here is 
that you do it on a private device though. 

 

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595

 

From: long_sam.tw  
Sent: Monday, 15 April 2024 10:45 PM
To: koha-devel@lists.koha-community.org; David Cook 
Subject: Re: [Koha-devel] SelfCheckoutByLogin

 

Hi, David 

 

I found the AWS SAML SSO logout example.

 

SAML sign-out flow - Amazon Cognito 

 

 

 

 

 

SAML SSO logout IDP, security issues.

 

 

When logging out of a SAML SSO IDP (Identity Provider), there are several 
security considerations to keep in mind:

1. Single Logout (SLO) Support: Ensure that your IDP supports Single Logout 
functionality, which logs the user out from all related Service Providers (SPs) 
when they log out from one, maintaining session consistency and security.

2. Logout Request Validation: When the IDP receives a logout request from an 
SP, it must validate the request to prevent malicious requests or Cross-Site 
Request Forgery (CSRF) attacks. Validation can be achieved through digital 
signatures or other secure mechanisms.

3. Security of Callback URLs: Ensure that the callback URLs used during logout 
are secure, avoiding the use of vulnerable or unauthorized URLs.

4. Session Management: Ensure that the IDP correctly terminates relevant 
sessions and clears user authentication information and session data upon 
logout to prevent session hijacking or replay attacks.

5. Security Event Monitoring: Establish monitoring mechanisms for logout 
operations and related session management events to promptly detect abnormal 
behavior or security incidents and take necessary response measures.

6. Security Auditing and Logging: Conduct thorough auditing and logging of 
logout operations and related security events to facilitate audit 
investigations or security incident tracing when needed.

7. Integration with Other Security Mechanisms: Integrate the logout 
functionality of SAML SSO with other security mechanisms such as Multi-Factor 
Authentication (MFA), Access Control Lists (ACLs), etc., to enhance the overall 
security of the system.

8. Regular Security Assessments: Conduct regular security assessments and 
vulnerability scans of the SAML SSO logout process, and promptly address any 
identified security issues to ensure the security and stability of the system.

In summary, logging out of a SAML SSO IDP requires attention to ensuring Single 
Logout support, secure logout request validation, security of callback

[Koha-devel] 24.05 Release dates

2024-04-16 Thread Fischer, Katrin via Koha-devel 
Hi all,

 

you've probably already been waiting for this, so here it is:

 

. 30 April: Soft feature freeze

o   Nothing big or with high risk of side-effects will be pushed after this
date.

o   Everything Passed QA will be reviewed by RM for this release and pushed
if no further work is required. 

. 10 May: Hard feature freeze and String warning

o   Nothing categorized as 'enhancement' or 'new feature' will be pushed
after this date if not already marked as Passed QA.

. 13 May: String warning - Start your translations!

o   With the new translation system the translation files are continuously
updated, so you can start on translations anytime. We assume that by this
date most string changes should have been pushed as we will have entered
hard feature freeze.

o   If you haven't entered release notes for your features and enhancements
on Bugzilla yet, now is the time to help pretty up the release notes!

.  17 May: Bug freeze / String freeze

o   Only bug fixes considered major, critical or blocker will be pushed
after this.

o   We will avoid pushing any more string changes to let translators finish.

o   Last release preparations will take place.

. 28 May: 24.05 Release

 

Dates are to be read as 'until the end of this day' in your own timezone. ;)

 

Close to the finish line - let's make 24.05 shine!

 

Katrin

 

PS: Please consider putting your name down for one of the many roles in the
release team for 24.11! https://wiki.koha-community.org/wiki/Roles_for_24.11


 



smime.p7s
Description: S/MIME cryptographic signature
___
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/

[Koha-devel] Signoff request

2024-04-16 Thread Marcel de Rooy via Koha-devel 
Hello all,

I need help on the following bugs (signoffs), all related to acquisition,
although some marked as architectural:

36002 Koha Acquisit m.de.r...@rijksmuseum.nl Need --- enh Get rid of
aqorders.purchaseordernumber 2024-02-06
36018 Koha Architec m.de.r...@rijksmuseum.nl Need --- enh Improve
consistency in Acquisition/Order(s) regarding active/current orders
2024-03-25 (rebased)
35994 Koha Architec m.de.r...@rijksmuseum.nl Need --- enh New acquisition
status method to see if biblio record is still in acquisition 13:04:46
(changed title)

Still apply on master today. Would be nice to see them getting further.
35994 has dependencies.

Thanks,
Marcel
___
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/

[Koha-devel] REMINDER: Development IRC meeting on the 17th of April 2024

2024-04-16 Thread Paul Derscheid via Koha-devel 
Hi all,
 
We have a Development IRC/Jitsi meeting scheduled for tomorrow:
https://wiki.koha-community.org/wiki/Development_IRC_meeting_17_April_2024
 
Time converter:
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Koha+Developers+IRC+Meeting=20240417T1200
 

 
Please feel free to add any topics you’d like to discuss to the agenda or let 
me know and I am happy to add them for you.
If you are lead or supporter of a roadmap project, we will be happy to get an 
update on progress.
 
See you there!
 
Paul

___
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/