[Koha-bugs] [Bug 30444] Enable Shibboleth option for SelfCheck modules for Koha
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Aug 8 06:56:51 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30444
--- Comment #22 from Alex Buckley <alexbuckley at catalyst.net.nz> ---
(In reply to David Cook from comment #21)
> (In reply to David Cook from comment #20)
> > I'm waiting on some client requirements for SAML SSO in SCO, and when I get
> > those I should be able to provide more useful feedback/assistance as well.
>
> I've heard back and their requirement is to use SAML SSO for SCO when the
> SCO is a dedicated physical terminal in the library.
>
> I'm going to see if they can do LDAP instead as it'll be more
> straightforward, but here's my thought for a physical terminal SCO:
>
> 1. Go to SCO landing page
> 2. Click button to trigger SSO login
> 3. Redirect to SSO IdP
> 4. Login to SSO IdP
> 5. Redirect back to Koha SCO
> 6. Create Koha SCO session using the JWT
> 7. Redirect back to SSO IdP for logout
> 8. Redirect back to Koha SCO to proceed with JWT
>
> It's a multi-hop process, but it could be smooth unless the SSO IdP has a
> prompt for the logout.
>
> I have less experience with SAML than OpenID Connect. With OIDC, you
> redirect to a logout URL with a post_logout_redirect_uri, and it returns you
> to Koha without the user really being any the wiser.
>
> The alternative would be redirecting to the SSO IdP for logout when clicking
> "Finish" or during a SCO timeout but... that seems more error prone to me.
> Someone might step away and not fully logout and then someone else has
> access to their authenticated session from a dedicated physical terminal...
>
> --
>
> Less of an issue of course if they're doing the self-checkout from their own
> device online.
>
> That's why I'm thinking we might need some way of differentiating the two
> scenarios...
Hey David,
Thanks very much for that information. It is interesting to hear a different
workflow.
Yes, I agree differentiating the two use cases of SSO with SCO is a good idea:
Our use case is patrons checking out items on their own devices online,
whereas, yours is on a shared dedicated terminal.
As you say in comment #20 in our use case we do not want the user to be logged
out from the IdP, because they may still have other work to do in the OPAC.
We could differentiate the two scenarios using a syspref, and perhaps try
upstreaming the two scenarios on two separate bug reports?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list