[Koha-devel] SelfCheckoutByLogin

Mon Apr 15 14:45:03 CEST 2024

 Hi, David 
I found the AWS SAML SSO logout example.
SAML sign-out flow - Amazon Cognito

SAML SSO logout IDP, security issues.

When logging out of a SAML SSO IDP (Identity Provider), there are several security considerations to keep in mind:

1. Single Logout (SLO) Support: Ensure that your IDP supports Single Logout functionality, which logs the user out from all related Service Providers (SPs) when they log out from one, maintaining session consistency and security.

2. Logout Request Validation: When the IDP receives a logout request from an SP, it must validate the request to prevent malicious requests or Cross-Site Request Forgery (CSRF) attacks. Validation can be achieved through digital signatures or other secure mechanisms.

3. Security of Callback URLs: Ensure that the callback URLs used during logout are secure, avoiding the use of vulnerable or unauthorized URLs.

4. Session Management: Ensure that the IDP correctly terminates relevant sessions and clears user authentication information and session data upon logout to prevent session hijacking or replay attacks.

5. Security Event Monitoring: Establish monitoring mechanisms for logout operations and related session management events to promptly detect abnormal behavior or security incidents and take necessary response measures.

6. Security Auditing and Logging: Conduct thorough auditing and logging of logout operations and related security events to facilitate audit investigations or security incident tracing when needed.

7. Integration with Other Security Mechanisms: Integrate the logout functionality of SAML SSO with other security mechanisms such as Multi-Factor Authentication (MFA), Access Control Lists (ACLs), etc., to enhance the overall security of the system.

8. Regular Security Assessments: Conduct regular security assessments and vulnerability scans of the SAML SSO logout process, and promptly address any identified security issues to ensure the security and stability of the system.

In summary, logging out of a SAML SSO IDP requires attention to ensuring Single Logout support, secure logout request validation, security of callback URLs, proper session management, security event monitoring and response, auditing and logging, integration with other security mechanisms, and regular security assessments and vulnerability fixes.
With respect, long_sam
    在 2024年4月15日 星期一 下午03:11:14 [GMT+8]， David Cook via Koha-devel<koha-devel at lists.koha-community.org> 寫道：  

Part of the reason is that it’s considerably more complicated and error-prone.

If you log in using Google OpenID Connect, the self-checkout browser will retain your Google user session beyond your Koha self-checkout user session. Also, when Koha goes back to Google to authenticate someone else, it will auto-detect that you’re still logged in, and use your account instead. 

In theory, we could do a back channel logout against Google (or whatever other OpenID Connect identity provider), but if that failed to run for whatever reason you’re risking someone else at a public terminal accessing your personal Google account.

SAML doesn’t even have options for back channel logout, which makes it not an option at all. 

If someone can think of a really good way of making this work, I’d be happy to discuss it further, but I can’t think of a safe way to do this on a public terminal at the moment.

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

Office: 02 9212 0899

Online: 02 8005 0595

From: Koha-devel <koha-devel-bounces at lists.koha-community.org> On Behalf Of Katrin Fischer via Koha-devel
Sent: Monday, 15 April 2024 6:29 AM
To: koha-devel at lists.koha-community.org
Subject: Re: [Koha-devel] SelfCheckoutByLogin

Hi,

I think there is probably no specific reason, it's just not been developed yet.

As a next step you could search Bugzilla (https://bugs.koha-community.org/bugzilla3/) for any related bugs. If there is no existing report yet, you could file a new enhancement request.

Hope this helps,

Katrin

On 12.04.24 23:49, long_sam.tw via Koha-devel wrote:

Hi, all

Koha SelfCheckoutByLogin 

https://koha-community.org/manual/latest/en/html/circulationpreferences.html#selfcheckoutbylogin

I found that only local account authentication and cardnumber are supported, but other authentication methods are not supported,

such as google openid Oauth2, are not supported.

Can anyone explain the reason?

With respect, long_sam

_______________________________________________Koha-devel mailing listKoha-devel at lists.koha-community.orghttps://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-develwebsite : https://www.koha-community.org/git : https://git.koha-community.org/bugs : https://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
Koha-devel at lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20240415/c53b3ae6/attachment-0001.htm>