Terminate session if user does not accept terms&conditions
cantor.2 at osu.edu
Thu Jun 10 16:40:36 UTC 2021
On 6/10/21, 11:42 AM, "users on behalf of Oluf Færø" <users-bounces at shibboleth.net on behalf of ofa at klintra.fo> wrote:
> So the Shibboleth IDP establishes a valid IDP session as soon as the authentication is successful. The post
>-authentication terms-interceptor does not modify this session state.
Not generally, no. Restarting back at the authentication step is possible, but the ToU flow cannot do that, it wasn't designed with that in mind. And there are no supported mechanisms for just ending the request while not preserving the session. I'm not saying it's crazy, I'm saying it's not supported.
> Therefore in the terms-screen I think it is reasonable to present the user with two options. Either the terms are
> accepted or the user must log-out (HTTP GET request to /profile/Logout) to terminate the session. I do not see
> the reason why the IDP should maintain the IDP session if the user rejects the terms.
Once the final rejection page is displayed it could be altered to do a client-side forward automatically to a logout, though that's certainly not foolproof of course.
Nothing with shared macines is anything other than an attack waiting to happen. The problems are enormous. Shared machines are fundamentally unsable without significant risk and accomodations, as Peter said. Those are the solutions, and they're necessary whether you use this feature or not.
> What should be the reason to keep the IDP session alive if the user has rejected the terms ?
I don't recall what the reason was for building that flow or who wanted it, but it gets very little use as far as I know, and it's not at the forefront of much thinking about how the IdP works. But how it works is how it works, so I'm simply answering your question.
More information about the users