Description of problem: I've been playing with adding new users and checking if they can login successfully to both Katello and Foreman (SSO enabled) and I noticed that signing out from Katello does not sign current user from Foreman (and vice-versa). I'm not sure if this is by design but imvho this is very confusing to the end user. Version-Release number of selected component (if applicable): * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.8.9-1.el6_4.noarch * candlepin-cert-consumer-qeblade35.rhq.lab.eng.bos.redhat.com-1.0-1.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.8.9-1.el6_4.noarch * candlepin-tomcat6-0.8.9-1.el6_4.noarch * elasticsearch-0.19.9-8.el6sat.noarch * foreman-1.1.10002-44.noarch * foreman-installer-puppet-concat-0-2.d776701.git.0.21ef926.el6sat.noarch * foreman-installer-puppet-dhcp-0-5.3a4a13c.el6sat.noarch * foreman-installer-puppet-dns-0-7.fcae203.el6sat.noarch * foreman-installer-puppet-foreman-0-6.568c5c4.el6sat.noarch * foreman-installer-puppet-foreman_proxy-0-8.bd1e35d.el6sat.noarch * foreman-installer-puppet-puppet-0-3.ab46748.el6sat.noarch * foreman-installer-puppet-tftp-0-5.ea6c5e5.el6sat.noarch * foreman-installer-puppet-xinetd-0-50a267b8.git.0.44aca6a.el6sat.noarch * foreman-postgresql-1.1.10002-44.noarch * foreman-proxy-1.1.10002-1.el6sat.noarch * foreman-proxy-installer-1.0.1-8.f5ae2cd.el6sat.noarch * katello-1.4.2-8.el6sat.noarch * katello-all-1.4.2-8.el6sat.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.4.2-2.el6sat.noarch * katello-cli-1.4.2-6.el6sat.noarch * katello-cli-common-1.4.2-6.el6sat.noarch * katello-common-1.4.2-8.el6sat.noarch * katello-configure-1.4.3-12.el6sat.noarch * katello-configure-foreman-1.4.3-12.el6sat.noarch * katello-foreman-all-1.4.2-8.el6sat.noarch * katello-glue-candlepin-1.4.2-8.el6sat.noarch * katello-glue-elasticsearch-1.4.2-8.el6sat.noarch * katello-glue-pulp-1.4.2-8.el6sat.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.4.3-3.el6sat.noarch * openldap-2.4.23-31.el6.x86_64 * pulp-rpm-plugins-2.1.1-1.el6sat.noarch * pulp-selinux-2.1.1-1.el6sat.noarch * pulp-server-2.1.1-1.el6sat.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-ldap_fluff-0.1.7-3.el6sat.noarch * ruby193-rubygem-net-ldap-0.2.2-7.el6_4.noarch * signo-0.0.15-1.el6sat.noarch * signo-katello-0.0.15-1.el6sat.noarch How reproducible: Steps to Reproduce: 1. Make sure to have at least 2 valid users created via the Katello UI and that one of them is the administrator 2. Login to Katello UI as the admin user 3. Proceed to navigate to Foreman via the Provisioning link (you should be logged in as the same administrator user) 4. Navigate back to Katello via the Content link and log out 5. Immediately login as the other non-administrator user 6. Proceed to navigate to Foreman via the Provisioning link Actual results: Once in the Foreman UI you will see that the administrator user is still logged in Expected results: Signo should automatically sign out users from both Katello and Foreman Additional info:
This is intentional. Imagine a situation you work on both systems at the same time. You have filled a form with a lot of inputs in Foreman, then in second tab you logout from Katello. If you switched back to Foreman and submitted a form you'd lost all data from form and you would not even know why. I think that would be more confusing. I think most or all SSO works like this. E.g. when you use OpenID providers, logging out from one application does not destroy you session on all other systems.
This appears to be a security hardening issue and not a security vulnerability (e.g. there is no need for a CVE/etc.). This issue should probably be fixed as security hardening, my main concern would be if someone finds a CSRF vuln in the product they could then leverage this potentially to gain access/execute commands/etc. We should also document this to ensure there are no unexpected surprises for end users. Also should there be a "log out all my sessions" option like I have seen a number of SSO providers give so that people can force a complete log out if they are worried that someone has used this to gain access/etc. (combined with a password change and so on). Also moving this bug back to being public.
Adding support for logging out user from all systems would currently require one change - sessions would have to be stored on server in Katello. Then Signo could store list of all aplication the user was logged into and then enforce logout. It seems as RFE more than a bug to me. Another way (but looks hackish to me since apps can have some logout hooks) would be just to delete cookies for all apps. This would not require changes in Katello. And this would be another limitation for using same domain for all systems. Also the question is, where should this "log out all my sessions" option should be? Only in Signo UI which is usually not displayed to end user (just for login form) or in Foreman and Katello? I still find it more confusing :-)
*** Bug 1010042 has been marked as a duplicate of this bug. ***
We can CLOSED:WONTFIX this since Signo is going away with the engificiation of Katello
removing signo component and moving these bugs to 'Infrastructure'