You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Jan Bernhardt <jb...@talend.com> on 2015/03/12 17:51:40 UTC
[Fediz] Single Logout Flow at IDP
Hi Fediz Developer,
I was wondering about the logout flow at the IDP. Currently we get a logout page first with a list of active RPs, then we need to confirm to do the actual logout.
The WS-Federation standard describes two actions: wsignout1.0 and wsingoutcleanup1.0
Currently we treat both actions alike in Fediz IDP. I would suggest to change the logout behavior to only show the confirm dialog if wsignout1.0 is called and after confirmation navigating to the wsingoutcleanup1.0 URL. If wsingoutcleanup1.0 is called directly we should not show a confirmation dialog but logout directly.
This way we could also better support a federated logout scenario with multiple IDPs, without the need to confirm on each IDP individually.
WDYT?
Best regards
Jan
AW: [Fediz] Single Logout Flow at IDP
Posted by Jan Bernhardt <jb...@talend.com>.
Perfect!
Thanks a lot!
Regards
Jan
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Gesendet: Montag, 13. April 2015 17:31
> An: dev@cxf.apache.org
> Betreff: Re: [Fediz] Single Logout Flow at IDP
>
> I've implemented this along the lines of Jan's suggestion for 1.2.0:
>
> a) wsignout1.0 -> Prompts for confirmation by default. Confirmation can be
> disabled by the IdP property "rpSingleSignOutConfirmation".
> b) wsingoutcleanup1.0 -> Does not prompt for confirmation by default.
> Confirmation can be enabled by the IdP property
> "rpSingleSignOutCleanupConfirmation".
>
> Colm.
>
> On Thu, Mar 19, 2015 at 12:13 PM, Jan Bernhardt <jb...@talend.com>
> wrote:
>
> > Hi Oli,
> >
> > I would prefer to avoid a configuration setting for this issue. I
> > don't want to confuse users with too many configuration options. WDYT?
> >
> > Kind regards
> > Jan
> >
> > Jan Bernhardt, M.Sc.
> > PROFESSIONAL SERVICES CONSULTANT
> > jbernhardt@talend.com | www.talend.com Talend Germany GmbH |
> > Servatiusstrasse 53 - 53175 Bonn - Germany
> >
> > Visit my blog at https://janbernhardt.blogspot.de
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Oliver Wulff [mailto:owulff@talend.com]
> > > Gesendet: Montag, 16. März 2015 08:23
> > > An: dev@cxf.apache.org; coheigea@apache.org
> > > Betreff: AW: [Fediz] Single Logout Flow at IDP
> > >
> > > Hi Jan
> > > What do you think about making this configurable for both cases?
> > > In this release we can also change the DB schema quite easily.
> > > Thanks
> > > Oli
> > >
> > >
> > >
> > > Von meinem Samsung Gerät gesendet.
> > >
> > >
> > > -------- Ursprüngliche Nachricht --------
> > > Von: Jan Bernhardt <jb...@talend.com>
> > > Datum: 13.03.2015 09:14 (GMT+01:00)
> > > An: dev@cxf.apache.org, coheigea@apache.org
> > > Betreff: AW: [Fediz] Single Logout Flow at IDP
> > >
> > > It is not urgent from my point of view.
> > >
> > > Since the logout behavior will change I think it would be great to
> > > have
> > this change
> > > in 1.2.0 and not in a bug-fix release. But it would also be ok IMHO.
> > >
> > > Best regards
> > > Jan
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > Gesendet: Donnerstag, 12. März 2015 17:56
> > > > An: dev@cxf.apache.org
> > > > Betreff: Re: [Fediz] Single Logout Flow at IDP
> > > >
> > > > Hi Jan,
> > > >
> > > > Yeah that makes sense IMO. Perhaps a task for 1.2.1 though or do
> > > > you need it for 1.2.0?
> > > >
> > > > Colm.
> > > >
> > > > On Thu, Mar 12, 2015 at 4:51 PM, Jan Bernhardt
> > > > <jb...@talend.com>
> > > > wrote:
> > > >
> > > > > Hi Fediz Developer,
> > > > >
> > > > > I was wondering about the logout flow at the IDP. Currently we
> > > > > get a logout page first with a list of active RPs, then we need
> > > > > to confirm to do the actual logout.
> > > > >
> > > > > The WS-Federation standard describes two actions: wsignout1.0
> > > > > and
> > > > > wsingoutcleanup1.0
> > > > >
> > > > > Currently we treat both actions alike in Fediz IDP. I would
> > > > > suggest to change the logout behavior to only show the confirm
> > > > > dialog if
> > > > > wsignout1.0 is called and after confirmation navigating to the
> > > > wsingoutcleanup1.0 URL.
> > > > > If wsingoutcleanup1.0 is called directly we should not show a
> > > > > confirmation dialog but logout directly.
> > > > >
> > > > > This way we could also better support a federated logout
> > > > > scenario with multiple IDPs, without the need to confirm on each
> > > > > IDP
> > individually.
> > > > >
> > > > > WDYT?
> > > > >
> > > > > Best regards
> > > > > Jan
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: [Fediz] Single Logout Flow at IDP
Posted by Colm O hEigeartaigh <co...@apache.org>.
I've implemented this along the lines of Jan's suggestion for 1.2.0:
a) wsignout1.0 -> Prompts for confirmation by default. Confirmation can be
disabled by the IdP property "rpSingleSignOutConfirmation".
b) wsingoutcleanup1.0 -> Does not prompt for confirmation by default.
Confirmation can be enabled by the IdP property
"rpSingleSignOutCleanupConfirmation".
Colm.
On Thu, Mar 19, 2015 at 12:13 PM, Jan Bernhardt <jb...@talend.com>
wrote:
> Hi Oli,
>
> I would prefer to avoid a configuration setting for this issue. I don't
> want to confuse users with too many configuration options. WDYT?
>
> Kind regards
> Jan
>
> Jan Bernhardt, M.Sc.
> PROFESSIONAL SERVICES CONSULTANT
> jbernhardt@talend.com | www.talend.com
> Talend Germany GmbH | Servatiusstrasse 53 - 53175 Bonn - Germany
>
> Visit my blog at https://janbernhardt.blogspot.de
>
> > -----Ursprüngliche Nachricht-----
> > Von: Oliver Wulff [mailto:owulff@talend.com]
> > Gesendet: Montag, 16. März 2015 08:23
> > An: dev@cxf.apache.org; coheigea@apache.org
> > Betreff: AW: [Fediz] Single Logout Flow at IDP
> >
> > Hi Jan
> > What do you think about making this configurable for both cases?
> > In this release we can also change the DB schema quite easily.
> > Thanks
> > Oli
> >
> >
> >
> > Von meinem Samsung Gerät gesendet.
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: Jan Bernhardt <jb...@talend.com>
> > Datum: 13.03.2015 09:14 (GMT+01:00)
> > An: dev@cxf.apache.org, coheigea@apache.org
> > Betreff: AW: [Fediz] Single Logout Flow at IDP
> >
> > It is not urgent from my point of view.
> >
> > Since the logout behavior will change I think it would be great to have
> this change
> > in 1.2.0 and not in a bug-fix release. But it would also be ok IMHO.
> >
> > Best regards
> > Jan
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Gesendet: Donnerstag, 12. März 2015 17:56
> > > An: dev@cxf.apache.org
> > > Betreff: Re: [Fediz] Single Logout Flow at IDP
> > >
> > > Hi Jan,
> > >
> > > Yeah that makes sense IMO. Perhaps a task for 1.2.1 though or do you
> > > need it for 1.2.0?
> > >
> > > Colm.
> > >
> > > On Thu, Mar 12, 2015 at 4:51 PM, Jan Bernhardt <jb...@talend.com>
> > > wrote:
> > >
> > > > Hi Fediz Developer,
> > > >
> > > > I was wondering about the logout flow at the IDP. Currently we get a
> > > > logout page first with a list of active RPs, then we need to confirm
> > > > to do the actual logout.
> > > >
> > > > The WS-Federation standard describes two actions: wsignout1.0 and
> > > > wsingoutcleanup1.0
> > > >
> > > > Currently we treat both actions alike in Fediz IDP. I would suggest
> > > > to change the logout behavior to only show the confirm dialog if
> > > > wsignout1.0 is called and after confirmation navigating to the
> > > wsingoutcleanup1.0 URL.
> > > > If wsingoutcleanup1.0 is called directly we should not show a
> > > > confirmation dialog but logout directly.
> > > >
> > > > This way we could also better support a federated logout scenario
> > > > with multiple IDPs, without the need to confirm on each IDP
> individually.
> > > >
> > > > WDYT?
> > > >
> > > > Best regards
> > > > Jan
> > > >
> > > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
AW: [Fediz] Single Logout Flow at IDP
Posted by Jan Bernhardt <jb...@talend.com>.
Hi Oli,
I would prefer to avoid a configuration setting for this issue. I don't want to confuse users with too many configuration options. WDYT?
Kind regards
Jan
Jan Bernhardt, M.Sc.
PROFESSIONAL SERVICES CONSULTANT
jbernhardt@talend.com | www.talend.com
Talend Germany GmbH | Servatiusstrasse 53 - 53175 Bonn - Germany
Visit my blog at https://janbernhardt.blogspot.de
> -----Ursprüngliche Nachricht-----
> Von: Oliver Wulff [mailto:owulff@talend.com]
> Gesendet: Montag, 16. März 2015 08:23
> An: dev@cxf.apache.org; coheigea@apache.org
> Betreff: AW: [Fediz] Single Logout Flow at IDP
>
> Hi Jan
> What do you think about making this configurable for both cases?
> In this release we can also change the DB schema quite easily.
> Thanks
> Oli
>
>
>
> Von meinem Samsung Gerät gesendet.
>
>
> -------- Ursprüngliche Nachricht --------
> Von: Jan Bernhardt <jb...@talend.com>
> Datum: 13.03.2015 09:14 (GMT+01:00)
> An: dev@cxf.apache.org, coheigea@apache.org
> Betreff: AW: [Fediz] Single Logout Flow at IDP
>
> It is not urgent from my point of view.
>
> Since the logout behavior will change I think it would be great to have this change
> in 1.2.0 and not in a bug-fix release. But it would also be ok IMHO.
>
> Best regards
> Jan
>
> > -----Ursprüngliche Nachricht-----
> > Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Gesendet: Donnerstag, 12. März 2015 17:56
> > An: dev@cxf.apache.org
> > Betreff: Re: [Fediz] Single Logout Flow at IDP
> >
> > Hi Jan,
> >
> > Yeah that makes sense IMO. Perhaps a task for 1.2.1 though or do you
> > need it for 1.2.0?
> >
> > Colm.
> >
> > On Thu, Mar 12, 2015 at 4:51 PM, Jan Bernhardt <jb...@talend.com>
> > wrote:
> >
> > > Hi Fediz Developer,
> > >
> > > I was wondering about the logout flow at the IDP. Currently we get a
> > > logout page first with a list of active RPs, then we need to confirm
> > > to do the actual logout.
> > >
> > > The WS-Federation standard describes two actions: wsignout1.0 and
> > > wsingoutcleanup1.0
> > >
> > > Currently we treat both actions alike in Fediz IDP. I would suggest
> > > to change the logout behavior to only show the confirm dialog if
> > > wsignout1.0 is called and after confirmation navigating to the
> > wsingoutcleanup1.0 URL.
> > > If wsingoutcleanup1.0 is called directly we should not show a
> > > confirmation dialog but logout directly.
> > >
> > > This way we could also better support a federated logout scenario
> > > with multiple IDPs, without the need to confirm on each IDP individually.
> > >
> > > WDYT?
> > >
> > > Best regards
> > > Jan
> > >
> > >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
AW: [Fediz] Single Logout Flow at IDP
Posted by Oliver Wulff <ow...@talend.com>.
Hi Jan
What do you think about making this configurable for both cases?
In this release we can also change the DB schema quite easily.
Thanks
Oli
Von meinem Samsung Gerät gesendet.
-------- Ursprüngliche Nachricht --------
Von: Jan Bernhardt <jb...@talend.com>
Datum: 13.03.2015 09:14 (GMT+01:00)
An: dev@cxf.apache.org, coheigea@apache.org
Betreff: AW: [Fediz] Single Logout Flow at IDP
It is not urgent from my point of view.
Since the logout behavior will change I think it would be great to have this change in 1.2.0 and not in a bug-fix release. But it would also be ok IMHO.
Best regards
Jan
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Gesendet: Donnerstag, 12. März 2015 17:56
> An: dev@cxf.apache.org
> Betreff: Re: [Fediz] Single Logout Flow at IDP
>
> Hi Jan,
>
> Yeah that makes sense IMO. Perhaps a task for 1.2.1 though or do you need it for
> 1.2.0?
>
> Colm.
>
> On Thu, Mar 12, 2015 at 4:51 PM, Jan Bernhardt <jb...@talend.com>
> wrote:
>
> > Hi Fediz Developer,
> >
> > I was wondering about the logout flow at the IDP. Currently we get a
> > logout page first with a list of active RPs, then we need to confirm
> > to do the actual logout.
> >
> > The WS-Federation standard describes two actions: wsignout1.0 and
> > wsingoutcleanup1.0
> >
> > Currently we treat both actions alike in Fediz IDP. I would suggest to
> > change the logout behavior to only show the confirm dialog if
> > wsignout1.0 is called and after confirmation navigating to the
> wsingoutcleanup1.0 URL.
> > If wsingoutcleanup1.0 is called directly we should not show a
> > confirmation dialog but logout directly.
> >
> > This way we could also better support a federated logout scenario with
> > multiple IDPs, without the need to confirm on each IDP individually.
> >
> > WDYT?
> >
> > Best regards
> > Jan
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
AW: [Fediz] Single Logout Flow at IDP
Posted by Jan Bernhardt <jb...@talend.com>.
It is not urgent from my point of view.
Since the logout behavior will change I think it would be great to have this change in 1.2.0 and not in a bug-fix release. But it would also be ok IMHO.
Best regards
Jan
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Gesendet: Donnerstag, 12. März 2015 17:56
> An: dev@cxf.apache.org
> Betreff: Re: [Fediz] Single Logout Flow at IDP
>
> Hi Jan,
>
> Yeah that makes sense IMO. Perhaps a task for 1.2.1 though or do you need it for
> 1.2.0?
>
> Colm.
>
> On Thu, Mar 12, 2015 at 4:51 PM, Jan Bernhardt <jb...@talend.com>
> wrote:
>
> > Hi Fediz Developer,
> >
> > I was wondering about the logout flow at the IDP. Currently we get a
> > logout page first with a list of active RPs, then we need to confirm
> > to do the actual logout.
> >
> > The WS-Federation standard describes two actions: wsignout1.0 and
> > wsingoutcleanup1.0
> >
> > Currently we treat both actions alike in Fediz IDP. I would suggest to
> > change the logout behavior to only show the confirm dialog if
> > wsignout1.0 is called and after confirmation navigating to the
> wsingoutcleanup1.0 URL.
> > If wsingoutcleanup1.0 is called directly we should not show a
> > confirmation dialog but logout directly.
> >
> > This way we could also better support a federated logout scenario with
> > multiple IDPs, without the need to confirm on each IDP individually.
> >
> > WDYT?
> >
> > Best regards
> > Jan
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: [Fediz] Single Logout Flow at IDP
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Jan,
Yeah that makes sense IMO. Perhaps a task for 1.2.1 though or do you need
it for 1.2.0?
Colm.
On Thu, Mar 12, 2015 at 4:51 PM, Jan Bernhardt <jb...@talend.com>
wrote:
> Hi Fediz Developer,
>
> I was wondering about the logout flow at the IDP. Currently we get a
> logout page first with a list of active RPs, then we need to confirm to do
> the actual logout.
>
> The WS-Federation standard describes two actions: wsignout1.0 and
> wsingoutcleanup1.0
>
> Currently we treat both actions alike in Fediz IDP. I would suggest to
> change the logout behavior to only show the confirm dialog if wsignout1.0
> is called and after confirmation navigating to the wsingoutcleanup1.0 URL.
> If wsingoutcleanup1.0 is called directly we should not show a confirmation
> dialog but logout directly.
>
> This way we could also better support a federated logout scenario with
> multiple IDPs, without the need to confirm on each IDP individually.
>
> WDYT?
>
> Best regards
> Jan
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com