Terminate session if user does not accept terms&conditions

Cantor, Scott cantor.2 at osu.edu
Thu Jun 10 16:40:36 UTC 2021

On 6/10/21, 11:42 AM, "users on behalf of Oluf Færø" <users-bounces at shibboleth.net on behalf of ofa at klintra.fo> wrote:

>    So the Shibboleth IDP establishes a valid IDP session as soon as the authentication is successful. The post
>-authentication terms-interceptor does not modify this session state. 

Not generally, no. Restarting back at the authentication step is possible, but the ToU flow cannot do that, it wasn't designed with that in mind. And there are no supported mechanisms for just ending the request while not preserving the session. I'm not saying it's crazy, I'm saying it's not supported.

>  Therefore in the terms-screen I think it is reasonable to present the user with two options. Either the terms are
> accepted or the user must log-out (HTTP GET request to /profile/Logout) to terminate the session. I do not see
> the reason why the IDP should maintain the IDP session if the user rejects the terms. 

Once the final rejection page is displayed it could be altered to do a client-side forward automatically to a logout, though that's certainly not foolproof of course.

Nothing with shared macines is anything other than an attack waiting to happen. The problems are enormous. Shared machines are fundamentally unsable without significant risk and accomodations, as Peter said. Those are the solutions, and they're necessary whether you use this feature or not.

>    What should be the reason to keep the IDP session alive if the user has rejected the terms ?

Terms of use are per-service, not for the IdP as a whole. You could reject the terms for one service and accept them for another. That flow is NOT for some kind of "terms of use of the IdP". That's not the idea behind it.

I don't recall what the reason was for building that flow or who wanted it, but it gets very little use as far as I know, and it's not at the forefront of much thinking about how the IdP works. But how it works is how it works, so I'm simply answering your question.

-- Scott

More information about the users mailing list