[Koha-devel] SelfCheckoutByLogin

Renvoize, Martin martin.renvoize at ptfs-europe.com
Wed Apr 17 20:34:49 CEST 2024 

Bug 30979 was written to mostly resolve this use case. There are further
enhancements to it reported to limit by IP range and things, but the basics
all work.

If you wanted a specific device required I'd suggest using the code
developed for the above as a starting point.



On Wed, 17 Apr 2024, 2:42 am long_sam.tw via Koha-devel, <
koha-devel at lists.koha-community.org> wrote:

> Hi, David
>
> I also found that there is no Google Openid Oauth2 login authentication mechanism in the staff. Google Openid Oauth2 authentication is not used in the background, why?
>
>
> With respect, long_sam
>
>
> 在 2024年4月15日 星期一 下午08:45:20 [GMT+8], long_sam.tw via Koha-devel<
> koha-devel at lists.koha-community.org> 寫道:
>
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/
> Hi, David
>
> I found the AWS SAML SSO logout example.
>
> SAML sign-out flow - Amazon Cognito
> <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-sign-out.html>
>
>
>
>
> SAML SSO logout IDP, security issues.
>
>
> When logging out of a SAML SSO IDP (Identity Provider), there are several
> security considerations to keep in mind:
>
> 1. Single Logout (SLO) Support: Ensure that your IDP supports Single
> Logout functionality, which logs the user out from all related Service
> Providers (SPs) when they log out from one, maintaining session consistency
> and security.
>
> 2. Logout Request Validation: When the IDP receives a logout request from
> an SP, it must validate the request to prevent malicious requests or
> Cross-Site Request Forgery (CSRF) attacks. Validation can be achieved
> through digital signatures or other secure mechanisms.
>
> 3. Security of Callback URLs: Ensure that the callback URLs used during
> logout are secure, avoiding the use of vulnerable or unauthorized URLs.
>
> 4. Session Management: Ensure that the IDP correctly terminates relevant
> sessions and clears user authentication information and session data upon
> logout to prevent session hijacking or replay attacks.
>
> 5. Security Event Monitoring: Establish monitoring mechanisms for logout
> operations and related session management events to promptly detect
> abnormal behavior or security incidents and take necessary response
> measures.
>
> 6. Security Auditing and Logging: Conduct thorough auditing and logging of
> logout operations and related security events to facilitate audit
> investigations or security incident tracing when needed.
>
> 7. Integration with Other Security Mechanisms: Integrate the logout
> functionality of SAML SSO with other security mechanisms such as
> Multi-Factor Authentication (MFA), Access Control Lists (ACLs), etc., to
> enhance the overall security of the system.
>
> 8. Regular Security Assessments: Conduct regular security assessments and
> vulnerability scans of the SAML SSO logout process, and promptly address
> any identified security issues to ensure the security and stability of the
> system.
>
> In summary, logging out of a SAML SSO IDP requires attention to ensuring
> Single Logout support, secure logout request validation, security of
> callback URLs, proper session management, security event monitoring and
> response, auditing and logging, integration with other security mechanisms,
> and regular security assessments and vulnerability fixes.
>
> With respect, long_sam
> 在 2024年4月15日 星期一 下午03:11:14 [GMT+8], David Cook via Koha-devel<
> koha-devel at lists.koha-community.org> 寫道:
>
>
> Part of the reason is that it’s considerably more complicated and
> error-prone.
>
>
>
> If you log in using Google OpenID Connect, the self-checkout browser will
> retain your Google user session beyond your Koha self-checkout user
> session. Also, when Koha goes back to Google to authenticate someone else,
> it will auto-detect that you’re still logged in, and use your account
> instead.
>
>
>
> In theory, we could do a back channel logout against Google (or whatever
> other OpenID Connect identity provider), but if that failed to run for
> whatever reason you’re risking someone else at a public terminal accessing
> your personal Google account.
>
>
>
> SAML doesn’t even have options for back channel logout, which makes it not
> an option at all.
>
>
>
> If someone can think of a really good way of making this work, I’d be
> happy to discuss it further, but I can’t think of a safe way to do this on
> a public terminal at the moment.
>
>
>
> David Cook
>
> Senior Software Engineer
>
> Prosentient Systems
>
> Suite 7.03
>
> 6a Glen St
>
> Milsons Point NSW 2061
>
> Australia
>
>
>
> Office: 02 9212 0899
>
> Online: 02 8005 0595
>
>
>
> *From:* Koha-devel <koha-devel-bounces at lists.koha-community.org> *On
> Behalf Of *Katrin Fischer via Koha-devel
> *Sent:* Monday, 15 April 2024 6:29 AM
> *To:* koha-devel at lists.koha-community.org
> *Subject:* Re: [Koha-devel] SelfCheckoutByLogin
>
>
>
> Hi,
>
> I think there is probably no specific reason, it's just not been developed
> yet.
>
> As a next step you could search Bugzilla (
> https://bugs.koha-community.org/bugzilla3/) for any related bugs. If
> there is no existing report yet, you could file a new enhancement request.
>
> Hope this helps,
>
> Katrin
>
> On 12.04.24 23:49, long_sam.tw via Koha-devel wrote:
>
> Hi, all
>
>
>
> Koha SelfCheckoutByLogin
>
>
>
>
> https://koha-community.org/manual/latest/en/html/circulationpreferences.html#selfcheckoutbylogin
>
>
>
>
>
> I found that only local account authentication and cardnumber are
> supported, but other authentication methods are not supported,
>
> such as google openid Oauth2, are not supported.
>
>
>
> Can anyone explain the reason?
>
>
>
> With respect, long_sam
>
>
>
>
>
>
>
> _______________________________________________
>
> Koha-devel mailing list
>
> Koha-devel at lists.koha-community.org
>
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>
> website : https://www.koha-community.org/
>
> git : https://git.koha-community.org/
>
> bugs : https://bugs.koha-community.org/
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20240417/9698247a/attachment-0001.htm>

More information about the Koha-devel mailing list