logout and misc Qs --shib idp
Steven_Carmody at brown.edu
Mon Nov 12 14:06:42 EST 2012
On 11/6/12 10:49 AM, Cantor, Scott wrote:
> On 11/6/12 10:33 AM, "Peter Schober"<peter.schober at univie.ac.at> wrote:
>> * Steven Carmody<Steven_Carmody at brown.edu> [2012-11-06 15:34]:
>>> 1) I think a checkbox during login to bypass SSO on shared machines is a
>>> fairly crucial feature at this point to at least allow users with clue
>>> to protect themselves.
>> Jfyi: https://issues.shibboleth.net/jira/browse/SIDP-289
> I don't think there is any clean way to do it in V2, though it's
> straightforward to do in a custom login handler when the PrevSession
> handler is turned off.
> There is a way I can think of to do it more generically, but it's touching
> very brittle code that I'm not going to touch. There have been too many
> regressions in that code and we're not risking more.
This issue came up again this morning at a meeting here; the security
people reported a growing number of reports of people going up to public
machines at Apple stores and finding Brown logins active .... including
an Apple store in NYC. Geeesssshhh.
I'm wondering if there might be some way to leverage the contract work
that Unicon did on the IDP for Wisconsin in order to achieve this
result.... since that work added spring webflow to the IDP ....
I don't know anything about the IDP's internal software architecture...
but, charging ahead anyway -- might there be a way use Webflow to add a
task at the end of IDP processing to disable setting the IDP session
cookie, if the box were checked on the login page ? Just hoping ....
More information about the users