565
szerkesztés
Módosítások
2.2.0-slo10
== Important notes on third party cookies ==
In some browsers, the IFrame-driven front-channel logout doesn't work due to the browser blocking [http://en.wikipedia.org/wiki/HTTP_cookie#Third-party_cookies third party cookies].
Every cookie which is sent to a foreign domain via img, iframe, script, etc. tags is considered to be third party, so the session cookie of the SP software in a foreign domain is third party cookie when it is sent in an IFrame. By blocking these cookies, the SP doesn't receive the session cookie and thus it could stop processing the logout request at this point.
Additional links:
* [http://n2.nabble.com/Frames-cookies-question-td4127538.html#a4127538 Shibboleth-dev thread on the issue]
* [http://support.mozilla.com/en-US/kb/Disabling+third+party+cookies How to disable third party cookies in firefox]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=417800#c11 Additional explanation in Mozilla Bugzilla]
* [http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies Same origin policy for cookies]
* [http://code.google.com/p/browsersec/wiki/Part2#Third-party_cookie_rules Further information on third party cookie handling]
"Although any third-party cookie restrictions are not a sufficient method to prevent cross-domain user tracking, they prove to be rather efficient in disrupting or impacting the security of some legitimate web site features, most notably certain web gadgets and authentication mechanisms."
=== Why service providers might need the session cookie ===
Most of the services do not need the session cookie itself, they only need the NameIdentifier, which is carried by the logout request, so back-channel logout requests are enough for them. But there might be service providers which do not implement back-channel bindings (eg. SimpleSAMLphp), or need front-channel application notification.
=== Why not fully back-channel? ===
SAML profiles specification (section 4.4.3.1) clearly states that front-channel should be preferred when sending the logoutrequest to the session authority (IdP). If the user interface is generated by the IdP, it could inform the user about the whole logout process, and each SP response. If the SP would use back-channel logoutrequest, the IdP's response would only contain minimal information (ie. success or failure), and this is not desirable. Also, the IdP would need to execute back-channel requests in parallel and synchronize them with the originating request, so this would make the processing code much more complex.
=== Technical solution ===
Our proposal is to prefer back-channel endpoints at the service provider side, unless your application needs to be notified via front-channel. For example,
* if your application behind your SP needs the session cookie with the notification, use only front-channel bindings in the SP metadata,
* otherwise use only back-channel binding in the SP metadata.
By these mutually exclusive endpoint sets, the SP can clearly advise the IdP which binding it should use when contanting this SP. Thus on the IdP side, both implementations need to be available.
=== Non-technical solution ===
Another option would be to add a new requirement for your end users. You can claim that banning third-party cookies is unsupported (because it breaks SLO), just like disabling all cookies (which breaks SSO). Convincing your users (and the Shibboleth developers to accept this solution) might be dubious, though.
== Features ==
* Implements SAML2 Single Logout profile
=== Released versions ===
* download the latest binary snapshot version from our [http://software.niif.hu software distribution site] ==== v2.2.0-slo10 ====* fix configuration templates* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=23593c89903cff2fb53bdb939bd463754496a439;sf=tgz shibboleth-common-1.2.0-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=275bda0758df9f5f26f35eb69a690b63b697e520;sf=tgz shibboleth-identityprovider-2.2.0-slo10] ==== v2.2.0-slo9 ====* allow EncryptedID to be used in the initiating request (patch contributed by Michael Simon from Karlsruher Institut für Technologie)* expose method for programatical back-channel logout* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=23593c89903cff2fb53bdb939bd463754496a439;sf=tgz shibboleth-common-1.2.0-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=46ae3f6475ed578440c72bec3c9a63b387854a70;sf=tgz shibboleth-identityprovider-2.2.0-slo9] ==== v2.1.5-slo7 ====* use AttributeConsumingService/ServiceName to feed the logout interface* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=3f7fa9509d8751787943a32817dab55b69736488;sf=tgz java-shib-common-1.1.4-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=88e7334e7fdc36454ef5c3bf1342bb402c08bdd4;sf=tgz java-idp-2.1.5-slo7] ==== v2.1.5-slo6 ====* skip session-indexing under error conditions* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=3f7fa9509d8751787943a32817dab55b69736488;sf=tgz java-shib-common-1.1.4-slo2]** [https://wwwrepo.niif.hu/gitweb/gitweb.aaicgi?p=java-idp.git;a=snapshot;h=df79269261fc1fdd3ac99cf4aca2fa7fffd38e33;sf=tgz java-idp-2.1.5-slo6] ==== v2.1.5-slo5 ====* fixed NullPointerException with non-existent or filtered NameIdentifiers* fixed a flaw in session-indexing logic, use the whole NameIdentifier as the index, not just the value* source code snapshots** [https://repo.niif.hu/software software distribution sitegitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=3f7fa9509d8751787943a32817dab55b69736488;sf=tgz java-shib-common-1.1.4-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=bb5b5d27831d06915cba52e474dc3aae62343238;sf=tgz java-idp-2.1.5-slo5] ==== v2.1.5-slo4 ====* upstream version bump** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=97590490012a10586efe8c49c873c36460ef0a2e;sf=tgz java-shib-common]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=8e863b05d849e0ce6ffc224d7b9ca49d4f59742f;sf=tgz; java-idp]
==== v2.1.4-slo4 ====
