[ADMINCTR-478] Logout from external IdPs no longer works Created: 14/Sep/23  Updated: 29/Sep/23  Resolved: 18/Sep/23

Status: Closed
Project: Admincentral
Component/s: None
Affects Version/s: 6.2.33
Fix Version/s: 6.3.0, 6.2.34

Type: Bug Priority: Major
Reporter: Mikaël Geljić Assignee: Mikaël Geljić
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by ADMINCTR-479 Logout from external IdPs no longer w... Closed
Problem/Incident
causes MGNLSSO-308 Logout no longer works - Improve inte... Closed
dependency
depends upon MAGNOLIA-9090 Add option to trigger logout logic, p... Closed
depends upon MAGNOLIA-9091 Add option to trigger logout logic, p... Closed
Template:
Acceptance criteria:
Empty
Release notes required:
Yes
Epic Link: SSO maintenance
Team: AdminX
Work Started:

 Description   

Since ADMINCTR-450, we invalidate the HttpSession too eagerly, thus killing other/external logout logic that happens downstream from VaadinSession destroy, such as SSOs' logout filter: we use Pac4j's SessionStore (info in the http-session) to track the web session and interaction with the IdP.

Desired behavior:

  • let a Vaadin session timeout kill itself
  • if it's the last/only Vaadin session alive within the HTTP session, trigger http session expiry
  • but do that via redirect, not via session#invalidate (not to harm SSO's session-tracking)

Generated at Sun Feb 11 23:07:28 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.