Hi, David
I also found that there is no Google Openid Oauth2 login authentication
mechanism in the staff. Google Openid Oauth2 authentication is not used in the
background, why?
With respect, long_sam
在 2024年4月15日 星期一 下午08:45:20 [GMT+8], long_sam.tw via
Koha-devel<koha-devel@lists.koha-community.org> 寫道:
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
Hi, David
I found the AWS SAML SSO logout example.
SAML sign-out flow - Amazon Cognito
SAML SSO logout IDP, security issues.
When logging out of a SAML SSO IDP (Identity Provider), there are several
security considerations to keep in mind:
1. Single Logout (SLO) Support: Ensure that your IDP supports Single Logout
functionality, which logs the user out from all related Service Providers (SPs)
when they log out from one, maintaining session consistency and security.
2. Logout Request Validation: When the IDP receives a logout request from an
SP, it must validate the request to prevent malicious requests or Cross-Site
Request Forgery (CSRF) attacks. Validation can be achieved through digital
signatures or other secure mechanisms.
3. Security of Callback URLs: Ensure that the callback URLs used during logout
are secure, avoiding the use of vulnerable or unauthorized URLs.
4. Session Management: Ensure that the IDP correctly terminates relevant
sessions and clears user authentication information and session data upon
logout to prevent session hijacking or replay attacks.
5. Security Event Monitoring: Establish monitoring mechanisms for logout
operations and related session management events to promptly detect abnormal
behavior or security incidents and take necessary response measures.
6. Security Auditing and Logging: Conduct thorough auditing and logging of
logout operations and related security events to facilitate audit
investigations or security incident tracing when needed.
7. Integration with Other Security Mechanisms: Integrate the logout
functionality of SAML SSO with other security mechanisms such as Multi-Factor
Authentication (MFA), Access Control Lists (ACLs), etc., to enhance the overall
security of the system.
8. Regular Security Assessments: Conduct regular security assessments and
vulnerability scans of the SAML SSO logout process, and promptly address any
identified security issues to ensure the security and stability of the system.
In summary, logging out of a SAML SSO IDP requires attention to ensuring Single
Logout support, secure logout request validation, security of callback URLs,
proper session management, security event monitoring and response, auditing and
logging, integration with other security mechanisms, and regular security
assessments and vulnerability fixes.
With respect, long_sam
在 2024年4月15日 星期一 下午03:11:14 [GMT+8], David Cook via
Koha-devel<koha-devel@lists.koha-community.org> 寫道:
Part of the reason is that it’s considerably more complicated and error-prone.
If you log in using Google OpenID Connect, the self-checkout browser will
retain your Google user session beyond your Koha self-checkout user session.
Also, when Koha goes back to Google to authenticate someone else, it will
auto-detect that you’re still logged in, and use your account instead.
In theory, we could do a back channel logout against Google (or whatever other
OpenID Connect identity provider), but if that failed to run for whatever
reason you’re risking someone else at a public terminal accessing your personal
Google account.
SAML doesn’t even have options for back channel logout, which makes it not an
option at all.
If someone can think of a really good way of making this work, I’d be happy to
discuss it further, but I can’t think of a safe way to do this on a public
terminal at the moment.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
From: Koha-devel <koha-devel-boun...@lists.koha-community.org> On Behalf Of
Katrin Fischer via Koha-devel
Sent: Monday, 15 April 2024 6:29 AM
To: koha-devel@lists.koha-community.org
Subject: Re: [Koha-devel] SelfCheckoutByLogin
Hi,
I think there is probably no specific reason, it's just not been developed yet.
As a next step you could search Bugzilla
(https://bugs.koha-community.org/bugzilla3/) for any related bugs. If there is
no existing report yet, you could file a new enhancement request.
Hope this helps,
Katrin
On 12.04.24 23:49, long_sam.tw via Koha-devel wrote:
Hi, all
Koha SelfCheckoutByLogin
https://koha-community.org/manual/latest/en/html/circulationpreferences.html#selfcheckoutbylogin
I found that only local account authentication and cardnumber are supported,
but other authentication methods are not supported,
such as google openid Oauth2, are not supported.
Can anyone explain the reason?
With respect, long_sam
_______________________________________________Koha-devel mailing
listkoha-de...@lists.koha-community.orghttps://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-develwebsite
: https://www.koha-community.org/git : https://git.koha-community.org/bugs :
https://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
