Grouper Users - Open Discussion List

[Chris Hyzer <>]

this is fixed.  It is in a patch so you can easily apply it with the grouperInstaller (see below)

 

https://bugs.internet2.edu/jira/browse/GRP-1097

 

Note, you can kill cookies by name or prefex too on logout before redirecting to your logout page.

 

I have this configured on the demo server, you can try it there:

 

grouperUi.logout.redirectToUrl = https://grouperdemo.internet2.edu/logout.html

 

######## GROUPER PATCHER EXAMPLE ##############

 

[appadmin@i2midev1 patches]$ wget http://software.internet2.edu/grouper/release/2.2.1/grouperInstaller.jar

[appadmin@i2midev1 patches]$  java -jar grouperInstaller.jar

Do you want to 'install' a new installation of grouper, 'upgrade' an existing installation

  or 'patch' an existing installation

  (enter: 'install', 'upgrade', 'patch' or blank for the default) [install]: patch

Enter in a Grouper temp directory to download tarballs (note: better if no spaces or special chars) [/opt/grouper/2.2/patches]:

What do you want to patch?  api, ui, ws, or psp? [api]: ui

Where is the grouper UI installed? /opt/tomcats/tomcat_d/webapps/grouper_v2_2

What do you want to do with patches (install, revert, status)? [install]:

 

################ Checking patch grouper_v2_2_1_api_patch_0

Patch: grouper_v2_2_1_api_patch_0: was applied on: 2015/01/18 17:45:34

 

 

################ Checking patch grouper_v2_2_1_api_patch_1

Patch: grouper_v2_2_1_api_patch_1: was applied on: 2015/01/18 17:46:04

 

 

################ Checking patch grouper_v2_2_1_api_patch_2

Patch: grouper_v2_2_1_api_patch_2: was applied on: 2015/01/18 17:46:24

 

 

################ Checking patch grouper_v2_2_1_api_patch_3

Patch doesnt exist yet (not an error): http://software.internet2.edu/grouper/release/2.2.1/patches/grouper_v2_2_1_api_patch_3.tar.gz

 

There are no new API patches to install

 

 

################ Checking patch grouper_v2_2_1_ui_patch_0

Patch: grouper_v2_2_1_ui_patch_0: was applied on: 2015/01/18 17:46:18

 

 

################ Checking patch grouper_v2_2_1_ui_patch_1

Patch: grouper_v2_2_1_ui_patch_1: was applied on: 2015/01/18 17:46:20

 

 

################ Checking patch grouper_v2_2_1_ui_patch_2

Patch: grouper_v2_2_1_ui_patch_2: was applied on: 2015/01/18 17:46:22

 

 

################ Checking patch grouper_v2_2_1_ui_patch_3

Patch: grouper_v2_2_1_ui_patch_3: was applied on: 2015/01/18 18:12:10

 

 

################ Checking patch grouper_v2_2_1_ui_patch_4

Patch: grouper_v2_2_1_ui_patch_4: was applied on: 2015/01/18 17:46:30

 

 

################ Checking patch grouper_v2_2_1_ui_patch_5

Patch: grouper_v2_2_1_ui_patch_5: was applied on: 2015/01/18 17:46:31

 

 

################ Checking patch grouper_v2_2_1_ui_patch_6

Patch: grouper_v2_2_1_ui_patch_6: was reverted on: 2015/01/18 19:53:46

 

Downloading from URL: http://software.internet2.edu/grouper/release/2.2.1/patches/grouper_v2_2_1_ui_patch_6.tar.gz to file: /opt/grouper/2.2/patches/grouper_v2_2_1_ui_patch_6.tar.gz

Unzipping: /opt/grouper/2.2/patches/grouper_v2_2_1_ui_patch_6.tar.gz

Expanding: /opt/grouper/2.2/patches/grouper_v2_2_1_ui_patch_6.tar

Patch grouper_v2_2_1_ui_patch_6 is low risk, is a security patch

This patch fixes GRP-1097 grouper logout management

Would you like to install patch grouper_v2_2_1_ui_patch_6 (t|f)? [t]:

 

- set property: grouper_v2_2_1_ui_patch_6.date from: 2015/01/18 19:53:46 to: 2015/01/18 19:55:29

This patch requires all processes that user Grouper to be stopped.

  Please stop these processes if they are running and press <enter> to continue...

 

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/grouperUi2/index/index.jsp

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/ui/util/GrouperUiUtils.class

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/ui/util/GrouperUiUtils$2.class

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/ui/util/GrouperUiUtils.java

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/ui/util/GrouperUiUtils$1.class

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/ui/actions/LogoutAction.class

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/ui/actions/LogoutAction.java

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/Misc.java

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/Misc.class

Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/grouper-ui.base.properties

Patch successfully applied: grouper_v2_2_1_ui_patch_6

- set property: grouper_v2_2_1_ui_patch_6.state from: reverted to: applied

 

 

################ Checking patch grouper_v2_2_1_ui_patch_7

Patch doesnt exist yet (not an error): http://software.internet2.edu/grouper/release/2.2.1/patches/grouper_v2_2_1_ui_patch_7.tar.gz

 

Since patches were applied, you should delete files in your app server work directory,

  in tomcat it is named 'work'.  Hit <enter> to continue:

[appadmin@i2midev1 patches]$

 

From: [mailto:] On Behalf Of Chris Hyzer
Sent: Wednesday, November 26, 2014 1:24 PM
To: Eric Cheu; Jeffrey T Eaton
Cc:
Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

 

This is no different than any other web application.  For 2.2.2 I will make sure there is a way to remove specified cookies (that grouper is allowed to delete by domain) by name prefix. Also you will be able to specify a single logout url if your institution has one.  Ok?  Thanks, Chris


-------- Original message --------
From: Eric Cheu <>
Date: 11/26/2014 1:16 PM (GMT-05:00)
To: Jeffrey T Eaton <>
Cc:
Subject: Re: [grouper-users] GrouperUI performing an IDP logout when using shibb authn

If this is really true, then the wording on the grouper page (or at least our version of grouper, 2.2) is out of date.  It says:

"Note: Your session has been ended, however, it is possible that you are still logged in. The only way to be sure that you have logged out is to close ALL browser windows."

And might even be a blow to using grouper for certain secure applications, at least for general student use.

 

 

 

On Wed, Nov 26, 2014 at 12:44 PM, Jeffrey T Eaton <> wrote:

It's not as easy as deleting the IDP's cookies.  Consider the case where a user starts a browser, and accesses 3 different SPs.

 

The user, while interacting with one of the SPs, wants to log out.  That SP can destroy its own session state, and redirect to the IDP to delete the session state there, however, there's no currently feasible way to force a logout of the other SPs which may be maintaining their own session. 

 

So, now the user walks away from the shared computer, and someone else walks up and happens to navigate to one of the SPs where the previous user was logged in, and is already logged in as the other user.

 

The only real way to manage single sign on in a shared computer environment is to have something which forcibly resets the browser state, losing all session data for all sites.  Used to be that quitting your browser would be sufficient to delete all of the cookies, but even that's becoming less reliable with browsers trying to "helpfully" restore your previous session cookies for you.

 

-jeaton

 

 

On Nov 25, 2014, at 11:35 AM, Eric Cheu <> wrote:

 

IMO, there should be a way to delete shibboleth browser cookies without actually having to close the browser.  I was able to do it manually in firefox by going through the menu system and actually looking for the shibboleth cookies and manually deleting them.  That got the desired effect of doing a global IDP logout without having to close the browser.  It is a harder sell to use shibboleth for certain applications if logging out of shibboleth is unintuitive for students using shared computers on a network.

 

On Wed, Nov 19, 2014 at 11:46 AM, Rob Gorrell <> wrote:

I'm not much of an SP guy, so I could use some help here. We currently have the grouperUI set up behind a shibb SP to process authentication into grouper. Works great. However. Looks like the standard logout is to redirect to logout.do which only kills the app session. Is there a way we can tell grouper to additionally redirect to our IDP's logout page so we can perform a logout there as well?

-Rob

--

Robert W. Gorrell
Systems Architect, Identity and Access Management

University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA