Univention Bugzilla – Bug 40555
After UMC logout SSO sessions are still valid on other UMC servers
Last modified: 2021-02-11 17:58:29 CET
Logging out of one UMC with an SSO session does not invalidate sessions on other UCS UMC servers. To reproduce, from Bug #39815: Login to http://master/umc -> single sign-on on Switch to backup from UMC dropdown on master Logout on Backup -> redirect to master and backup (for logout) Enter http://master/umc in browser -> Get a valid UMC Session! Users can be created! By using SSO i expect to be able to use the 'service' UMC: within the SSO session i can switch to UMCs of different servers, but i am still using the service UMC. If i logout at one endpoint, i expect that every UMC is not accessible for me anymore. Think of another example: If i log into googlemail i can switch to the calendar, use google drive, docs, etc... If i logout at any of there services i can not use the others unless i login again. I do not want to logout at every specific service i used. Counter argument from Bug #39815: No, this are 2 kinds of sessions. You are not anymore logged in at the IDP. But if you logout at the SP-UMC-1 then I wouldn't logout/destroy the running session at SP-UMC-2. If this would be done and one currently installs e.g. a app on SP-UMC-1 the AppCenter module process would be killed resulting in a maybe broken package state. Therefore I won't change this. The session will be destroyed after the session-timeout of 10 minutes.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.