Opened 2 years ago
Last modified 2 years ago
#1421 new defect
Use Shibboleth info instead of MAKACSESSION in SSO auth
| Reported by: | pferreir | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | v2.1 |
| Component: | Security | Version: | 0.97.0 |
| Keywords: | MAKACSESSION authentication shibboleth | Cc: |
Description (last modified by pferreir)
Indico currently suffers from a security issue:
- Log in to Indico (through SSO)
- Log in to another SSO service
- Log out from said SSO service (one would expect to be logged out from all SSO services, including Indico)
- Go back to Indico, still logged in
This is misleading for users, and can be problematic. The problem is that the authentication process is made in the following way:
- Indico redirects user to SSO for login
- User logs in
- SSO redirects user to Indico, along with authentication tokens
- Shibboleth parses tokens and provides Indico with user info
- Indico attributes MAKACSESSION token to current session
The last step should be avoided, since it introduces the problem of revoking MAKACSESSION as soon as the current session doesn't possess a Shibboleth identity.
So, we should deal with the information that is provided by the authentication mechanism, instead of delegating identity into MAKACSESSION (in SSO auth).
Change History (2)
comment:1 Changed 2 years ago by pferreir
- Description modified (diff)
comment:2 Changed 2 years ago by pferreir
- Description modified (diff)
- Summary changed from Use Shibboleth info instead of MAKACSESSION to Use Shibboleth info instead of MAKACSESSION in SSO auth
Note: See
TracTickets for help on using
tickets.
