mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Changed in: mahara/17.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1693426

Title:
  Destroy mahara session when Single Logout is initiated by IdP

Status in Mahara:
  Fix Released
Status in Mahara 17.04 series:
  Fix Released
Status in Mahara 17.10 series:
  Fix Released

Bug description:
  For our Single Sign-on implementation, we encountered this bug where
  Mahara session is not destroyed for another SP initiated logouts.

  For example, consider a scenario where two applications Mahara (SP1)
  and  Moodle (SP2) are setups as service providers and connected with
  IdP. When a user logs out from Moodle (SP2) it sends a logout request
  to IDP and from there IDP sends a logout request to Mahara (SP2) which
  supports SLO.

  After receiving logout request from IDP, Mahara destroys simplesamlphp
  session but not Mahara session. As a result, a user is still logged on
  to Mahara even local simplesamlphp session and IdP sessions are
  destroyed!

  We investigated this issue and fixed it using a hack which destroys
  Mahara session also. We will be submitting a patch to via Gerrit for
  review. This is not a perfect solution as believing there should be
  other ways to do this perfectly e.g. first destroy simplesamlphp
  session, confirm that we are logged out from IdP and then destroy
  Mahara session.

  This doesn't happen when logout is initiated from Mahara (SP2) as it
  first destroys Mahara session and thereafter simplesamlphp session.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1693426/+subscriptions