From ba13c849f0b4efbe35cb3bc5e61e5e202d61db9b Mon Sep 17 00:00:00 2001 From: Mike Rylander Date: Fri, 9 Sep 2022 12:40:47 -0400 Subject: [PATCH] LP#1989209: SSO Shibboleth logout/re-login When using Shibboleth for SSO, and global logout is disabled, logging in after logout on the same computer can fail with a 404-Not Found. The problem is that we need to ignore our local "don't trust Shibboleth login" cookie in this situation. This change also means we need to delegate SP logout, in addition to possible IdP and/or global logout, to the Shibboleth configuration. Therefore we always redirect to the Shibboleth logout service on Evergreen logout (when Shibboleth SSO is enabled), and SP, IdP, and global logout is configured and mediated by the Shibboleth and IdP configuration. This commit modifies the meaning of the opac.login.shib_sso.logout YAOUS such that it is only used to decide if Evergreen timeout-forced logouts will cause a Shibboleth logout as well. All user-initiated logouts will now inform Shibboleth, and the Shibboleth configuration will determine the SSO logout degree (SP, IdP, global). See details at https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072384/NativeSPLogoutInitiator and the simpler configuration option of https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072434/NativeSPServiceLogout for information on the Shibboleth configuration required for your local needs. Signed-off-by: Mike Rylander Signed-off-by: Jason Boyer Signed-off-by: Galen Charlton --- Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm index e94b829344..fab9dd6a6e 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm @@ -575,8 +575,9 @@ sub load_login { $self->timelog("SSO is enabled") if ($sso_enabled); if ($sso_enabled and $sso_user_match_value = $ENV{$sso_shib_match} - and !$self->cgi->cookie(COOKIE_SHIB_LOGGEDOUT) + and (!$self->cgi->cookie(COOKIE_SHIB_LOGGEDOUT) or $self->{_ignore_shib_logged_out_cookie}) ) { # we have a shib session, and have not cleared a previous shib-login cookie + $self->{_ignore_shib_logged_out_cookie} = 0; # only set by an intermediate call that internally redirected here $self->timelog("Have an SSO user match value: $sso_user_match_value"); if ($sso_eg_match eq 'barcode') { # barcode is special @@ -730,7 +731,10 @@ sub load_manual_shib_login { my $sso_entity_id = $self->ctx->{get_org_setting}->($sso_org, 'opac.login.shib_sso.entityId'); my $sso_shib_match = $self->ctx->{get_org_setting}->($sso_org, 'opac.login.shib_sso.shib_matchpoint') || 'uid'; - return $self->load_login if ($ENV{$sso_shib_match}); + if ($ENV{$sso_shib_match}) { + $self->{_ignore_shib_logged_out_cookie} = 1; + return $self->load_login; + } my $url = '/Shibboleth.sso/Login?target=' . ($redirect_to || $self->ctx->{home_page}); if ($sso_entity_id) { @@ -763,7 +767,10 @@ sub load_logout { my $sso_enabled = $self->ctx->{get_org_setting}->($sso_org, 'opac.login.shib_sso.enable'); my $sso_entity_id = $self->ctx->{get_org_setting}->($sso_org, 'opac.login.shib_sso.entityId'); my $sso_logout = $self->ctx->{get_org_setting}->($sso_org, 'opac.login.shib_sso.logout'); - if ($sso_enabled && $sso_logout) { + + # If using SSO, and actively logging out of EG /or/ opac.login.shib_sso.logout is true then + # log out of the SP (and, depending on Shib config, maybe the IdP or globally). + if ($sso_enabled and ($sso_logout or $active_logout)) { $redirect_to = '/Shibboleth.sso/Logout?return=' . ($redirect_to || $self->ctx->{home_page}); if ($sso_entity_id) { $redirect_to .= '&entityID=' . $sso_entity_id; -- 2.11.0