Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2021-12-01 10:08:13
Attachments:
smime.p7s
|
Hi Krzysztof, in past we did not support/use SLO due most user did not want to logged out on all services if the logout from one. This opinion is changing especially on the user who are the managers. We did not change any attributes from the default unity config. Can you give us a hint which attributes must be configured to perform SLO? Of course we must configure the SLO endpoints of the accepted SPs. The SLO endpoints from the upstream IdPs should be fetched from the metadata file, if they are provided within. Is this assumption correct? Beside of this, do we only need to configure - unity.saml.requester.sloPath=/SLO-WEB - unity.saml.requester.sloRealm=defaultRealm I guess unityServer.core.logoutMode is only for clicking on the logout button on unity. But also here we recognized using the default value internalAndSyncPeers doesn't you logout from the IdP. But maybe this is also not working because we did not enable SLO. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Marcus H. <ha...@ki...> - 2021-12-01 10:46:11
Attachments:
smime.p7s
|
On 01. Dec 2021 11:08, Sander Apweiler wrote: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. I'd express it more like: There is a 2nd use-case coming up. I.e. we may need two different ways to log out: 1: Log out of Unity 2: Log out of all sessions (e.g. at the end of a guest session of somebody elses computer) I think two different buttons (unity-logout and global-logout) would be best. M. > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. > > Best regards, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Marcus. |
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:55:52
|
Hi Marcus, W dniu 01.12.2021 o 11:21, Marcus Hardt pisze: > On 01. Dec 2021 11:08, Sander Apweiler wrote: >> Hi Krzysztof, >> in past we did not support/use SLO due most user did not want to logged >> out on all services if the logout from one. This opinion is changing >> especially on the user who are the managers. > I'd express it more like: There is a 2nd use-case coming up. I.e. we may > need two different ways to log out: > 1: Log out of Unity > 2: Log out of all sessions (e.g. at the end of a guest session of somebody > elses computer) > > I think two different buttons (unity-logout and global-logout) would be best. Yes, so we have those two options supported, but can be configured for the whole server only. We can make it more flexible in the way you have described above, but note that there is also another case (which I believe is by far more common) of logout initiated from a SP, not from unity directly. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:53:18
|
Hi Sander, W dniu 01.12.2021 o 11:08, Sander Apweiler pisze: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. > > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. that's hard question, as you have a proxy. And SLO may mean many things in case of proxy. So first the global parameter: it rules what happens when there is any logout in unity. It can be triggered in one of unity's UIs (e.g. home) or via API (currently only SAML endpoint offers that). So it can be no-SLO (just kill local session) or SLO (kill local session and trigger logouts of all peers that support SLO - again only supported for SAML). So everything more that you need to configure are proper endpoints of SAML-SPs (that you want to logout from unity) of Unity IdP (so that SAML SPs relying on Unity can request logout) and of external IdPs (so that unity can logout upstream IdPs). You can enable this little by little and test - what I strongly suggest. Also pay attention to your configuration of realms - SLO never crosses realm's boundary. This is still pretty valid, although not mentioning configuration via Console UI: https://www.unity-idm.eu/documentation/unity-1.9.0/saml-howto.html#_using_single_logout_slo Best, Krzysztof |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X