Final piece missing from this module, in my opinion, is an option to log out user locally in Drupal but not globally from SAML.
This patch touches on several files.
simplesamlphp_auth.admin.inc: new option (checkbox) in the admin form to allow users to log out locally only
simplesamlphp_auth.module: registers a menu item with user_logout_local callback function and an access callback function to display the link in the user menu only if the user is logged in AND the admin form checkbox is checked.
simplesamlphp_auth.pages.inc: the callback function user_logout_local mimics the core user_logout function but set a property on the $user object $user->SAML_local_logout = TRUE; that can be used in the simplesamlphp_auth_user_logout function to determine whether to log out globally or locally only.
Comment | File | Size | Author |
---|---|---|---|
#2 | simplesamlphp_auth_display_local_logout_link-2360673-2.patch | 1.95 KB | pcambra |
#1 | simplesamlphp_auth_display_local_logout_link-2360673-1.patch | 3.37 KB | odegard |
Comments
Comment #1
odegard CreditAttribution: odegard commentedPatch
Comment #2
pcambraI am in need of such feature too, the use case is that the Drupal system uses a SSO SAML service and we don't really want to log the users out from the federated systems (there's a specific procedure for that), but only the Drupal one.
The solution in #1 adds a key to the user, I'd say that with a setting at the module level is enough and would avoid adding arbitrary data to the user object, as in D8 this won't be trivial to do.
Here's a patch with a much simpler solution.
Comment #3
Anonymous (not verified) CreditAttribution: Anonymous commented+1 for this, but for a slightly different reason: Just discovered that a 'local Drupal user' (no SAML auth) can't log back into a site after logging out, until cookies are cleared.
The issue seems to be that the session is not properly cleared (#2377727 ?), so an invalid session cookie is used after logging back in.
User gets an access denied after logging in again, because the old session is used (?)
This patch, whilst it sort of short-circuits SAML logout for other reasons, solves that issue for local-only auth.
Comment #4
roland.ohl@gmx.de CreditAttribution: roland.ohl@gmx.de commentedWe need this issue as well. We built a site for our company and use our companys SSO to login to the site.
However, on logout, we don't want to logout from the companies SSO as well. So we want to do only a local logout.
We solved this by overwriting the code that does the (global) logout.
the following change would be on our opinion a solution to do this in the module:
1. Add a configuration entry to switch between Local and Identity Provider logout.
2. When Local Logout is set, the SimplesamlphpAuthManager should not logout via the IDP but only locally.