[Freeipa-users] FreeIPA WebUI Logout logs back in
Petr Vobornik
pvoborni at redhat.com
Wed Apr 29 11:57:51 UTC 2015
On 04/29/2015 01:42 PM, Christopher Lamb wrote:
> HI Petr
>
> thanks.
>
> Can you qualify "has a valid Kerberos Ticket"?
>
> In my case, my user has a valid ticket on the LDAP server, but not on the
> OSX workstation from which I am using Firefox / Web UI.
On the OSX workstation, if the user has a non-expired TGT ticket which
could be then used to obtain ticket for principal
HTTP/myipa.my.domain at MY.REALM (IPA server API - backend of webui).
>
> Cheers
>
> Chris
>
>
>
> From: Petr Vobornik <pvoborni at redhat.com>
> To: dpal at redhat.com, Rob Crittenden <rcritten at redhat.com>,
> Christopher Lamb/Switzerland/IBM at IBMCH
> Cc: freeipa-users at redhat.com
> Date: 29.04.2015 13:27
> Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
>
>
>
> On 04/28/2015 11:53 PM, Dmitri Pal wrote:
>> On 04/28/2015 05:39 PM, Rob Crittenden wrote:
>>> Dmitri Pal wrote:
>>>> On 04/28/2015 05:11 PM, Christopher Lamb wrote:
>>>>> HI All
>>>>>
>>>>> I have just tested with the FreeIPA Web UI public demo
>>>>> https://ipa.demo1.freeipa.org/ipa/ui/
>>>>>
>>>>> Using the public demo, when I log out, I get returned to the login
>>>>> screen,
>>>>> as expected. This allows me to log in with a different user.
>>>>>
>>>>> With our own installation FreeIPA, from exactly the same browser, I
> get
>>>>> logged straight back in to the Web UI - which makes logging out
>>>>> pointless.
>>>>>
>>>>> still confused ...
>>>> Do you have a kerberos ticket on your local system?
>>>> Do klist.
>>>> See which tickets you have.
>>>> If you have tickets do kdestroy - this will remove the ability to SSO.
>>>> If you then try to use your IPA server you will have the same
> experience
>>>> as with public demo.
>>> I think this is a question for Petr. On logout one should be directed to
>>> a page that doesn't require auth so it doesn't renegotiate the
>>> connection.
>>>
>>> rob
>> Petr can you reproduce this?
>>
>
> Yes.
>
> User is automatically logged-in back if he has a valid Kerberos ticket.
>
> The reason is that after showing the login form, the whole UI is
> reloaded in order to forget everything in the app memory. It then
> behaves as normal access and SSO kicks in.
>
> IPA had a logout page but it was removed. One reason was that PatternFly
> says that when a session expires(which, in a way, is a logout), user
> should be presented with a login page. As we see, with SSO, the behavior
> is a little bit different and unexpected.
>
> I've created a new ticket:
>
> https://fedorahosted.org/freeipa/ticket/5008
> --
> Petr Vobornik
>
>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list