Dashboard logout URL is default even when using external IDP, SAML, cannot be modified
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
In Progress
|
Undecided
|
Alexander Litvinov |
Bug Description
When using external IDP and having relation with keystone-SAML mellon,
openstack dashboard would still have a default logout URL generated.
<a href="/
Sign Out
</a>
(sp-metadata file would have a different URL /auth/mellon/
So if the user clicks logout - session cookies are not cleaned.
The next time when login with external IDP is selected - user could login without password prompt.
Looking at the code, looks like if those 3 variables are be passed then redirect could happen to custom LOGOUT_URL
WEBSSO_ENABLED
WEBSSO_
WEBSSO_
mod_auth_mellon supports both IdP-initiated and SP-initiated logout through the same endpoint. The endpoint is located at "/logout". "/logoutRequest" is an alias for this endpoint, provided for compatibility with version 0.0.6 and earlier of mod_auth_mellon.
To initiate a logout from your web site, you should redirect or link to "/logout?
<a href="/
https:/
Changed in charm-openstack-dashboard: | |
assignee: | nobody → Alexander Litvinov (alitvinov) |
I think this might be handled by the charm by passing WEBSSO_ DEFAULT_ REDIRECT_ LOGOUT
with ?ReturnTo=URL back to /auth/logout.