5

It was required that my application uses a SSO Service called Shibboleth. So I used the existing shibboleth-bundle. Things have changed and we need to add a form authentication method for the user. So I decided to implement Shibboleth authentication with the new Guard Component. (See ShibbolethGuardBundle)

I found a problem during the development. Symfony calls the ShibbolethAuthenticator methods at the first request, creates a token and never calls any ShibbolethAuthenticator method on later requests. That means, if Shibboleth session ends the user is still authenticated using the Symfony session.

This is also a problem if you want to implement a token authentication. The user only need to send the token at the first request. Any other request is authenticated by the session.

This problem exist also with other SSO services. If you logout at Facebook you want to be logged out at any website that uses Facebook authentication. But if you implemented this with Guard you still have a valid session after the logout at facebook.

I found a quick solution by checking if the shibboleth header variables are set in my UserProvider on every request. If they are missing, an Exception is called and my ExceptionListener redirects to the login page.

I think this is not a good solution, because the ShibbolethGuardBundle should handle this problem. Does anyone has an idea how I could solve this in a more appropriate way?

Gottlieb Notschnabel
  • 9,408
  • 18
  • 74
  • 116
Gerd Rönsch
  • 63
  • 4
  • Have a look at [simplesamlphp](https://github.com/simplesamlphp/simplesamlphp) and the [SimplesamlphpBundle](https://github.com/hslavich/SimplesamlphpBundle). simplesamlphp is a very common PHP based SAML library. – Gottlieb Notschnabel Oct 28 '16 at 10:12

1 Answers1

0

The way I see it, authenticating the first time and sending the user data is to either create a user object or sign it for that website. After that, you have a session with Site A, using data from the SSO service, I think that's the intended behaviour. It is not to sync logins / logouts with the SSO service.

One workaround: In http://romain.pechayre.me/blog/2015/06/26/single-sign-out-problem/ it is described how Google might handle this (not sure if this is still current, but it's still relevant to your question):

When signing out from gmail a few days ago, I noticed my browser visited blogger.com for 0.5 second. I went back to blogger.com and realized I was logged out. Same on youtube.com. [...] The main idea is that the browser actually visits all website from Google on which I have the session and closes the session on all of them. [...] The main reason why signing out from several websites in one click is not well documented is because it is not a very common situation. When this problem arises it is probably fixed using a custom, in-house implementation.

Oliver Adria
  • 1,123
  • 11
  • 23