.git, branch db_sessions Unnamed repository; edit this file 'description' to name the repository. Add logout to pgdb, fix name in tests 2015-05-11T22:15:51+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:15:51+00:00 6435068dc384cce2ed1c7456c3aba694e1bb2138 Add a logout to the postgres test to ensure that sessions are updated properly on logout. Fix the name in the tests, it was test1. Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Add a logout to the postgres test to ensure that sessions are
updated properly on logout.

Fix the name in the tests, it was test1.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Use plugin-specific configuration, better expiration 2015-05-11T22:14:42+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:14:42+00:00 551456691bcca369308cc8580705f1baa258f9fe Use a SAML2 plugin specific option to specify the database uri for sessions. Use a much more robust method to find sessions that need expiration (thanks Patrick). https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Remove expired SAML2 sessions 2015-05-11T20:47:24+00:00 Rob Crittenden rcritten@redhat.com 2015-04-20T20:44:41+00:00 d169919a1ff5a7668c8bb23a45b59011a91132e1 Run a cherrypy background task to sift through the sessions database and find expired entries and remove them. From my testing if a previous execution of the background task is still executing when the next one is scheduled to run, it will skip it. In other words, you can't end up with multiple expirations running at the same time. Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.

From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Update IdP-initiated logout to use SAML2 Store 2015-05-11T20:47:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:44:04+00:00 acc8954e5812fa65040192e92170b05beada359f This moves the order in which the "fake" session is created and it gives it a unique ID rather than using a fixed value. Rely on the LogoutRequest request ID so we can get the order of logout correct. The basic idea is a logout request is created for the IdP containing the URL of the IdP itself as the RelayState. A session is picked and a LogoutRequest generated and sent. There will be a LogoutRequest/LogoutResponse back and forth until there are no more sessions to log out. The last session will be this "fake" session that started it all and the user will be redirected to the main page of the IdP. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
This moves the order in which the "fake" session is created and
it gives it a unique ID rather than using a fixed value.

Rely on the LogoutRequest request ID so we can get the
order of logout correct.

The basic idea is a logout request is created for the IdP
containing the URL of the IdP itself as the RelayState. A
session is picked and a LogoutRequest generated and sent.

There will be a LogoutRequest/LogoutResponse back and forth
until there are no more sessions to log out. The last
session will be this "fake" session that started it all
and the user will be redirected to the main page of the IdP.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Convert logout code to use SAML2 Store 2015-05-11T20:46:49+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:40:30+00:00 0d953410a7bfe4dec208eb9b9b709139ce652ab7 This is functionally the same. The primary differences are: - When logging out, fetch all requested session indexes in the LogoutRequest. - Store the LogoutRequest request ID to be used later when a LogoutResponse is received to look up the logout. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
This is functionally the same. The primary differences are:

- When logging out, fetch all requested session indexes in the
  LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
  LogoutResponse is received to look up the logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Create a SAML2 session during login 2015-05-11T20:46:46+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:38:14+00:00 83eaba272f07960189c71467ac8d774181e4d2d5 Use the updated session API to create a SAML2 session. Note that each session is stored discretely. Previously if a session for a provider already existed then that one session held all the session indexes. Now if a new session comes in it is added separately. During logout all sessions for a provider are retrieved and all logged-in sessions sent to the SP to log out. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Change SAML2 sessions backend to use Store API 2015-05-11T20:45:53+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:35:25+00:00 2408ee947ef6dbb62022afc4d488e665d6726411 The basic session API remains the same, just replace the calls to pull data out of the user session to instead pull from the database. The per-session logout state is now a constant rather than being a member of either the logged_in or logging_out dictionaries. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.

The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Configure the SAML2 session database during installation 2015-05-11T20:45:53+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:34:41+00:00 6c7e6f614cc41b49575069dc543441f3982abcb3 https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Add support for storing SAML2 sessions 2015-05-11T20:45:53+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:30:31+00:00 9145bdded79662865763c744a1de66131675f1ad Store SAML2 session information in a table rather than with the user entry so sessions can be persisted past IdP restarts and if the user accesses the system via multiple browsers SLO will log out all sessions, not just the user session that initiated the logout. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Add uninstallation support to infosssd 2015-05-08T20:35:20+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-05-08T16:30:02+00:00 d6f7323943c0e7afc26f700d05831d294119a1d1 This should make it revert any changes it made during installation. https://fedorahosted.org/ipsilon/ticket/67 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This should make it revert any changes it made during
installation.

https://fedorahosted.org/ipsilon/ticket/67

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>