Forums / Developer / single sign OUT

single sign OUT

Author Message

David Wirth

Tuesday 07 June 2011 11:28:20 am

Our EZP site authenticates users per an external system comprised of a database and website for managing its data. For the sake of this discussion I will refer to it as "System B." When a user logs into our EZP site our custom login handler authenticates the user and logs them into System B. I have developed an SSO handler so that when the user logs into System B and navigates to the EZP site they are logged into the EZP site. So far, so good.

When the user logs out of our EZP site our custom logout handler logs the user out of System B. There's one last piece that doesn't work as desired: When the user logs out of System B, they are not logged out of EZP.

I was originally thinking I would handle this scenario with my SSO extension but I just learned that the SSO handler apparently only executes if the user is anonymous. That means it won't work as a mechanism for checking to see if a logged-in user should be logged out of EZP.

First, is my understanding correct that an eZ login handler will only be called if a user is not logged in? If yes, what would be the appropriate way to set up a per-page-load (regardless of login status) process to authenticate against System B? I know I could just write a PHP script and call it from config.php but I am guessing there is a more elegant solution.

Brandon Chambers

Tuesday 07 June 2011 3:04:39 pm

I can't say I fully understand your requirements of elegance, but how about coding a custom template operator and drop it in pagelayout to determine if the user should be logged out? Is that what you're trying to stay away from?

What config.php are you talking about? [ezroot]/config.php? I think maybe an extension would be more suitable and more portable for you.

Hope this helps

Brandon Chambers
brandon@granitehorizon.com
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com

David Wirth

Wednesday 08 June 2011 6:36:13 am

"

I can't say I fully understand your requirements of elegance, but how about coding a custom template operator and drop it in pagelayout to determine if the user should be logged out? Is that what you're trying to stay away from?

What config.php are you talking about? [ezroot]/config.php? I think maybe an extension would be more suitable and more portable for you.

Hope this helps

"

Hmmm, I guess I was stuck in a mindset of resolving the current user before it even got to templates. Pagelayout doesn't come into play until after the module and view have been processed so, in the case of a user who should be logged out, I would have to logout the user out and then redirect back to the same requested URL so the module and view get processed with the appropriate current user. I suppose that would work, though, albeit with an added bit of server processing time. I was originally hoping I just had not yet stumbled upon something built-in with the login/sso handlers that does what I'm trying to do but I'll go ahead and try the template operator approach. Thanks.

(There's also a potential issue with having to put the template operator in multiple pagelayouts but I just took a look and page_head.tpl seems to be an include common to all of them, so I can just put it there.)

Marko Žmak

Wednesday 08 June 2011 6:45:36 am

Hm, is your System B allows you to hook on it's logout event, you could use that to destory the users session in that moment (possibly through a custom module of your extension).

This sounds like the most logical solution since you are doing the same thing (but vice versa) in the eZP's logout handler.

P.S: And what about this case: A user is NOT logged in in the System B, but logs in in eZP. Did you cover this case so that then user gets automatically logged in in System B?

--
Nothing is impossible. Not if you can imagine it!

Hubert Farnsworth

David Wirth

Wednesday 08 June 2011 8:17:41 am

"

Hm, is your System B allows you to hook on it's logout event, you could use that to destory the users session in that moment (possibly through a custom module of your extension).

This sounds like the most logical solution since you are doing the same thing (but vice versa) in the eZP's logout handler.

P.S: And what about this case: A user is NOT logged in in the System B, but logs in in eZP. Did you cover this case so that then user gets automatically logged in in System B?

"

It's pretty much a one-way relationship between System A (the eZP server) and System B, which is managed by another company. B does not send anything to A that A does not ask for. System A can send queries to B that include the capability to log the user into and out of B. So yes, a user logging in to eZP is automatically logged into B. The only hole here is what happens when the user logs out directly from B, because it does not let A know, and I cannot ask for System B to be changed to do that (or at least not without major cost).

Marko Žmak

Wednesday 08 June 2011 4:25:39 pm

"

It's pretty much a one-way relationship between System A (the eZP server) and System B, which is managed by another company. B does not send anything to A that A does not ask for. System A can send queries to B that include the capability to log the user into and out of B. So yes, a user logging in to eZP is automatically logged into B. The only hole here is what happens when the user logs out directly from B, because it does not let A know, and I cannot ask for System B to be changed to do that (or at least not without major cost).

"

Ok, then you need a cronjob script that does that, Checks with your System B if the user is logged in, and if it's not logs him out (or deletes it's session) on the eZP part.

--
Nothing is impossible. Not if you can imagine it!

Hubert Farnsworth

Jérôme Vieilledent

Thursday 09 June 2011 1:34:29 am

"

Ok, then you need a cronjob script that does that, Checks with your System B if the user is logged in, and if it's not logs him out (or deletes it's session) on the eZP part.

"

This won't be possible as of eZ Publish 4.4 since it uses the default PHP session implementation, and thus doesn't store the users' sessions in the database. 

To me, the only way to go would be to set a short session time for eZ Publish (let's say 30min or less). If user is not logged in any more in the SSO system, then the SSO handler should not log any user in (by returning false).

David Wirth

Thursday 09 June 2011 5:21:18 am

"
"

Ok, then you need a cronjob script that does that, Checks with your System B if the user is logged in, and if it's not logs him out (or deletes it's session) on the eZP part.

"

This won't be possible as of eZ Publish 4.4 since it uses the default PHP session implementation, and thus doesn't store the users' sessions in the database. 

To me, the only way to go would be to set a short session time for eZ Publish (let's say 30min or less). If user is not logged in any more in the SSO system, then the SSO handler should not log any user in (by returning false).

"

I'm not really satisfied with any solution in which a user logs out of system B and is not immediately or on the first subsequent eZP page load logged out of eZP as well. It presents a security hole. Imagine a scenario where a user logs in at a library, does some stuff at the eZP site and then at B, logs out from website B, and leaves the computer; For a while that user will still be logged in to eZP, so the next user of that computer could go back to the eZP site before the session has timed out and do stuff the authorized user can do.

So far I am still siding with the template operator approach.

Gaetano Giunta

Friday 10 June 2011 3:56:21 am

@JV: afaik, you cans still enable the custom ez session handler in ezp 4.5 and later, so you get all the goodies you need. Are you sure about statement?

@David: it's quite unfortunate that in system B users can log out, and still you can not have system B send any request to the eZ Publish site to notify it that the user has logged out... after all this is the most common way to set up single-sign-off: the site where the user is signing-off sends a notification to the central authentication system (and I think you figured out how to have eZ notify system B of users having logged out in eZ already). Also it is good practice to have one system used as authentication master for all involved sites, pulling off master-master is complex.

I think it might work with a custom tpl operator in the pagelayout (or some php code in config.php) - you might even skip the standard eZ SSO configuration and use that single operator to do the sso checks for both anon and logged in users.

A few things to take into account:

- you will be sending an sso request to system B for every page view of eZ users, both anon and not. Lots of traffic to system B (can it cope?) and risks of slowing down eZ pages if system B is not very responsive

- high risks of creating loops when users authenticates or deauthenticates himself, esp. if redirects are in use at either site (eg. user starts anon, logs in in eZ, eZ tells system B that user has logged in, user is redirected to new eZ Page, new page checks if user is logged in in system B but gets a stale response => user is logged out from eZ)

Principal Consultant International Business
Member of the Community Project Board

Gaetano Giunta

Friday 10 June 2011 3:56:53 am

ps: you can always add a feature request in wit to have sso checks done for looged in users too

Principal Consultant International Business
Member of the Community Project Board

Jérôme Vieilledent

Friday 10 June 2011 4:07:55 am

"

@JV: afaik, you cans still enable the custom ez session handler in ezp 4.5 and later, so you get all the goodies you need. Are you sure about statement?

"

I was saying by default.

David Wirth

Friday 10 June 2011 4:29:43 am

"

A few things to take into account:

- you will be sending an sso request to system B for every page view of eZ users, both anon and not. Lots of traffic to system B (can it cope?) and risks of slowing down eZ pages if system B is not very responsive

- high risks of creating loops when users authenticates or deauthenticates himself, esp. if redirects are in use at either site (eg. user starts anon, logs in in eZ, eZ tells system B that user has logged in, user is redirected to new eZ Page, new page checks if user is logged in in system B but gets a stale response => user is logged out from eZ)

"

Those two points had occurred to me. I am considering just leaving things as they are and accepting this security hole (which in fact is already there and has not, to my knowledge, caused a problem yet). It helps that there really isn't too much bad stuff at this point that one of these B-authenticated user accounts can do in our eZP site. I just hate to leave a hole, though.