You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Sandeep Moré <mo...@gmail.com> on 2018/02/25 16:12:54 UTC
[DISCUSS] KIP-10 KnoxSSO Logout Flow
Hello All,
I am kickstarting a discussion about KnoxSSO logout flow, I created a KIP
page for it
https://cwiki.apache.org/confluence/display/KNOX/KIP-10+KnoxSSO+Logout+Flow
In the coming week I am planning on adding more sections for CAS, OpenID
connect etc. as I research them more. In the mean time, if you could take a
look at it and provide feedback/comments/suggestions that would be
extremely helpful. Also, please feel free to let me know of any use case
you might think is useful and should be added.
Best,
Sandeep
Re: [DISCUSS] KIP-10 KnoxSSO Logout Flow
Posted by Sandeep Moré <mo...@gmail.com>.
Thanks Jérôme
I had missed the backchannel part, thanks for reminding !
I was able to make SAML logout to work (POC for now) with few modifications
to Pac4J classes but it seems to work great.
Best,
Sandeep
On Mon, Feb 26, 2018 at 2:04 AM, Jérôme LELEU <le...@gmail.com> wrote:
> Hi,
>
> pac4j aims to handle authentication and logout as well. But the "logout"
> concept relates to many things.
>
> In pac4 implementations (like j2e-pac4j), we have a logout filter whose
> role is double:
> 1) performs (or not) a local logout: removing the pac4j user profiles from
> the session and even destroying the web session (it depends on the
> configuration)
> 2) redirects/calls to the identity provider for a global logout (this
> application and all applications the user has been logged in during his web
> SSO session)
>
> Behind the scene, the DefaultLogoutLogic is called which uses the
> LogoutActionBuilder of the client to know how to call the identity provider
> for logout.
>
> See: https://github.com/pac4j/j2e-pac4j#6-logout-logoutfilter
>
> Though, there is more: the identity provider may have been called by
> another application also requesting a global logout, so it may call the
> application to request a local logout. This can be done in two ways:
> - from server to server, it's a back-channel logout call
> - from browser to server, it's a front-channel logout (we have the session
> cookie for the application and thus can easily find the user session).
>
> The logout call must be received on the callback endpoint, which handles
> both: callback calls for authentication as well as logout calls.
>
> This last part only works for CAS currently. For SAML, it's more or less
> in progress.
>
> Just let me know if you need more explanations.
>
> Thanks.
> Best regards,
> Jérôme
>
>
>
> On Sun, Feb 25, 2018 at 5:12 PM, Sandeep Moré <mo...@gmail.com>
> wrote:
>
>> Hello All,
>>
>> I am kickstarting a discussion about KnoxSSO logout flow, I created a KIP
>> page for it
>> https://cwiki.apache.org/confluence/display/KNOX/KIP-10+
>> KnoxSSO+Logout+Flow
>>
>> In the coming week I am planning on adding more sections for CAS, OpenID
>> connect etc. as I research them more. In the mean time, if you could take
>> a
>> look at it and provide feedback/comments/suggestions that would be
>> extremely helpful. Also, please feel free to let me know of any use case
>> you might think is useful and should be added.
>>
>> Best,
>> Sandeep
>>
>
>
Re: [DISCUSS] KIP-10 KnoxSSO Logout Flow
Posted by Jérôme LELEU <le...@gmail.com>.
Hi,
pac4j aims to handle authentication and logout as well. But the "logout"
concept relates to many things.
In pac4 implementations (like j2e-pac4j), we have a logout filter whose
role is double:
1) performs (or not) a local logout: removing the pac4j user profiles from
the session and even destroying the web session (it depends on the
configuration)
2) redirects/calls to the identity provider for a global logout (this
application and all applications the user has been logged in during his web
SSO session)
Behind the scene, the DefaultLogoutLogic is called which uses the
LogoutActionBuilder of the client to know how to call the identity provider
for logout.
See: https://github.com/pac4j/j2e-pac4j#6-logout-logoutfilter
Though, there is more: the identity provider may have been called by
another application also requesting a global logout, so it may call the
application to request a local logout. This can be done in two ways:
- from server to server, it's a back-channel logout call
- from browser to server, it's a front-channel logout (we have the session
cookie for the application and thus can easily find the user session).
The logout call must be received on the callback endpoint, which handles
both: callback calls for authentication as well as logout calls.
This last part only works for CAS currently. For SAML, it's more or less in
progress.
Just let me know if you need more explanations.
Thanks.
Best regards,
Jérôme
On Sun, Feb 25, 2018 at 5:12 PM, Sandeep Moré <mo...@gmail.com> wrote:
> Hello All,
>
> I am kickstarting a discussion about KnoxSSO logout flow, I created a KIP
> page for it
> https://cwiki.apache.org/confluence/display/KNOX/KIP-
> 10+KnoxSSO+Logout+Flow
>
> In the coming week I am planning on adding more sections for CAS, OpenID
> connect etc. as I research them more. In the mean time, if you could take a
> look at it and provide feedback/comments/suggestions that would be
> extremely helpful. Also, please feel free to let me know of any use case
> you might think is useful and should be added.
>
> Best,
> Sandeep
>
Re: [DISCUSS] KIP-10 KnoxSSO Logout Flow
Posted by Jérôme LELEU <le...@gmail.com>.
Hi,
pac4j aims to handle authentication and logout as well. But the "logout"
concept relates to many things.
In pac4 implementations (like j2e-pac4j), we have a logout filter whose
role is double:
1) performs (or not) a local logout: removing the pac4j user profiles from
the session and even destroying the web session (it depends on the
configuration)
2) redirects/calls to the identity provider for a global logout (this
application and all applications the user has been logged in during his web
SSO session)
Behind the scene, the DefaultLogoutLogic is called which uses the
LogoutActionBuilder of the client to know how to call the identity provider
for logout.
See: https://github.com/pac4j/j2e-pac4j#6-logout-logoutfilter
Though, there is more: the identity provider may have been called by
another application also requesting a global logout, so it may call the
application to request a local logout. This can be done in two ways:
- from server to server, it's a back-channel logout call
- from browser to server, it's a front-channel logout (we have the session
cookie for the application and thus can easily find the user session).
The logout call must be received on the callback endpoint, which handles
both: callback calls for authentication as well as logout calls.
This last part only works for CAS currently. For SAML, it's more or less in
progress.
Just let me know if you need more explanations.
Thanks.
Best regards,
Jérôme
On Sun, Feb 25, 2018 at 5:12 PM, Sandeep Moré <mo...@gmail.com> wrote:
> Hello All,
>
> I am kickstarting a discussion about KnoxSSO logout flow, I created a KIP
> page for it
> https://cwiki.apache.org/confluence/display/KNOX/KIP-
> 10+KnoxSSO+Logout+Flow
>
> In the coming week I am planning on adding more sections for CAS, OpenID
> connect etc. as I research them more. In the mean time, if you could take a
> look at it and provide feedback/comments/suggestions that would be
> extremely helpful. Also, please feel free to let me know of any use case
> you might think is useful and should be added.
>
> Best,
> Sandeep
>