Description
Guacamole's current logout behavior can be problematic when Guacamole is configured for SSO (via SAML, CAS, OpenID, etc.):
- A reauthentication attempt is made automatically after logout. For non-SSO authentication methods, this results in a login screen prompting for the credentials requested by the authentication failure. For SSO, this reauthentication attempt is often simply successful (the user is still signed in with the IdP), with logout then appearing as if it had no effect.
- For single logout to be implemented (GUACAMOLE-361, GUACAMOLE-519, GUACAMOLE-1266), the client side of the web application may need to reach out to the IdP to handle the non-Guacamole part of the logout process. This cannot occur if the client side of the webapp has already reset its own state in order to force reauthentication.
Rather than immediately reset state and reauthenticate, Guacamole should simply clean up the current session and notify the user that logout was successful. This avoids the issue where users are immediately signed back in via their IdP, and allows for future single logout implementations to rely on being able to hook into the logout process on the client side.
Attachments
Attachments
Issue Links
- Dependency
-
GUACAMOLE-1266 Implement SAML Single Logout
-
- Open
-
- is depended upon by
-
-
- Open
-
-
GUACAMOLE-361 CAS global logout
-
- Open
-
-
-
- Open
-
- links to