[Koha-devel] SelfCheckoutByLogin

Wed Apr 17 02:11:03 CEST 2024

Hi long_sam,

Thanks for your reply. You’re right; SAML does have single log out functionality.  However, from my understanding it’s a “front-channel logout” mechanism that requires the redirecting of the user in the browser.

With OpenID Connect, the “back-channel logout” is a request sent from the server to the IdP without needing to redirect the user in the browser. As far as I know, SAML doesn’t have “back-channel logout” functionality. 

That being said, I suppose there’s no reason you couldn’t do a front-channel logout. In fact, that might be preferable, because then the user would know that they’ve been logged out of the Identity Provider (or that there was some failure to logout, so they could take manual steps to end their SSO session).

--

I like the idea of being able to use credentials from a centralized Identity Provider to log into the self-checkout, but personally I wouldn’t want to use SSO on a shared system that could potentially leave my SSO session open beyond my interactions with the self-checkout. And I’m a tech-savvy user. I fear for users who are not tech-savvy. 

Another technical detail. At the moment, Koha is set up to allow SAML or OpenID Connect for creating authenticated user sessions. In the case of the self-checkout, the actual user session belongs to a self-checkout user. When you put in your cardnumber or username/password, you’re not actually creating a new user session. You’re really just authorizing the self-checkout user to work with your account. So the existing code for the SAML/OpenID Connect can’t be easily re-used I think. We’d need totally different implementations just for the self-checkout. (I suppose one option would be to allow SSO login, confirm the authenticated session, and then immediately do a SLO (single log out) from the IdP to help reduce the time the SSO session exists.)

--

So overall… there are ways of doing it. A few of us discussed it at https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30444 but ultimately no one decided to pursue it. 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30979 provided a method for allowing OPAC users to checkout to themselves, so you’d login as the OPAC user (using SSO) and then checkout to yourself. I think the idea here is that you do it on a private device though. 

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

Office: 02 9212 0899

Online: 02 8005 0595

From: long_sam.tw <long_sam.tw at yahoo.com.tw> 
Sent: Monday, 15 April 2024 10:45 PM
To: koha-devel at lists.koha-community.org; David Cook <dcook at prosentient.com.au>
Subject: Re: [Koha-devel] SelfCheckoutByLogin

Hi, David 

I found the AWS SAML SSO logout example.

SAML sign-out flow - Amazon Cognito <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-sign-out.html> 

SAML SSO logout IDP, security issues.

When logging out of a SAML SSO IDP (Identity Provider), there are several security considerations to keep in mind:

1. Single Logout (SLO) Support: Ensure that your IDP supports Single Logout functionality, which logs the user out from all related Service Providers (SPs) when they log out from one, maintaining session consistency and security.

2. Logout Request Validation: When the IDP receives a logout request from an SP, it must validate the request to prevent malicious requests or Cross-Site Request Forgery (CSRF) attacks. Validation can be achieved through digital signatures or other secure mechanisms.

3. Security of Callback URLs: Ensure that the callback URLs used during logout are secure, avoiding the use of vulnerable or unauthorized URLs.

4. Session Management: Ensure that the IDP correctly terminates relevant sessions and clears user authentication information and session data upon logout to prevent session hijacking or replay attacks.

5. Security Event Monitoring: Establish monitoring mechanisms for logout operations and related session management events to promptly detect abnormal behavior or security incidents and take necessary response measures.

6. Security Auditing and Logging: Conduct thorough auditing and logging of logout operations and related security events to facilitate audit investigations or security incident tracing when needed.

7. Integration with Other Security Mechanisms: Integrate the logout functionality of SAML SSO with other security mechanisms such as Multi-Factor Authentication (MFA), Access Control Lists (ACLs), etc., to enhance the overall security of the system.

8. Regular Security Assessments: Conduct regular security assessments and vulnerability scans of the SAML SSO logout process, and promptly address any identified security issues to ensure the security and stability of the system.

In summary, logging out of a SAML SSO IDP requires attention to ensuring Single Logout support, secure logout request validation, security of callback URLs, proper session management, security event monitoring and response, auditing and logging, integration with other security mechanisms, and regular security assessments and vulnerability fixes.

With respect, long_sam

在 2024年4月15日 星期一 下午03:11:14 [GMT+8]， David Cook via Koha-devel<koha-devel at lists.koha-community.org <mailto:koha-devel at lists.koha-community.org> > 寫道： 

Part of the reason is that it’s considerably more complicated and error-prone. 

If you log in using Google OpenID Connect, the self-checkout browser will retain your Google user session beyond your Koha self-checkout user session. Also, when Koha goes back to Google to authenticate someone else, it will auto-detect that you’re still logged in, and use your account instead. 

In theory, we could do a back channel logout against Google (or whatever other OpenID Connect identity provider), but if that failed to run for whatever reason you’re risking someone else at a public terminal accessing your personal Google account.

SAML doesn’t even have options for back channel logout, which makes it not an option at all. 

If someone can think of a really good way of making this work, I’d be happy to discuss it further, but I can’t think of a safe way to do this on a public terminal at the moment.

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

Office: 02 9212 0899

Online: 02 8005 0595

From: Koha-devel <koha-devel-bounces at lists.koha-community.org <mailto:koha-devel-bounces at lists.koha-community.org> > On Behalf Of Katrin Fischer via Koha-devel
Sent: Monday, 15 April 2024 6:29 AM
To: koha-devel at lists.koha-community.org <mailto:koha-devel at lists.koha-community.org> 
Subject: Re: [Koha-devel] SelfCheckoutByLogin

Hi,

I think there is probably no specific reason, it's just not been developed yet.

As a next step you could search Bugzilla (https://bugs.koha-community.org/bugzilla3/) for any related bugs. If there is no existing report yet, you could file a new enhancement request.

Hope this helps,

Katrin

On 12.04.24 23:49, long_sam.tw via Koha-devel wrote:

Hi, all

Koha SelfCheckoutByLogin 

https://koha-community.org/manual/latest/en/html/circulationpreferences.html#selfcheckoutbylogin

I found that only local account authentication and cardnumber are supported, but other authentication methods are not supported,

such as google openid Oauth2, are not supported.

Can anyone explain the reason?

With respect, long_sam

_______________________________________________
Koha-devel mailing list
Koha-devel at lists.koha-community.org <mailto:Koha-devel at lists.koha-community.org> 
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
Koha-devel at lists.koha-community.org <mailto:Koha-devel at lists.koha-community.org> 
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20240417/d32d4455/attachment-0001.htm>