When logged in via Keycloak / SAML to the univention portal, a session is created as follows: GET http://ucs5primary.univention.intranet/univention/get/session-info {"status": 200, "result": {"username": "Administrator", "auth_type": "SAML", "remaining": 102}} "remaining" tells how many seconds are left till the session expires and no further requests are possible. By the documentation, this should be possible to configure by the following UCR variable: $ ucr search umc/http/session/timeout umc/http/session/timeout: 28800 After this time period in seconds the browser session is automatically closed and a renewed login is required. Nevertheless, when using keycloak for the login this seemingly has no effect but is overwritten by the "Assertion Lifespan" in the keycloak admin dashboard -> ucs realm -> Clients -> https://${SERVER_FQDN?}/univention/saml/metadata -> Advanced -> Advanced settings This is an issue, as https://${SSO_FQDN}/ still has a cookie. If clients now try to click on "logout" in the Hamburger-Menu for instance, the following code will be executed (notes included): def get(self, **kwargs): […] if session.saml is not None: #SHOULD be executed, as the session was SAML and a logout at the keycloak / SSO interface is required return self.redirect('/univention/saml/logout', status=303) # SHOULD *NOT* be executed, as it only deletes the session on site of UMC, not keycloak self.expire_session() self.redirect(ucr.get('umc/logout/location') or '/univention/', status=303) https://github.com/univention/univention-corporate-server/blob/5.0-8/management/univention-management-console/src/univention/management/console/resources.py#L391-L399 This causes users to "think" they are logged out, although a simply click on Login (SSO) will proof them wrong. If the users was logged in using SAML, we should ensure that a logout in the portal terminates SSO sessions, even if the UMC session is already expired.
umc/http/session/timeout is only for the session length of non-SAML logins. For SAML logins there is umc/saml/assertion-lifetime. It used to be configured directly in Keycloak when changing the UCR variable but seems to be removed since git:25c8326742a865851b8b59b3685b814dfe14e16b - so I don't know how to activate it - maybe just re-reexecuting the UMC web server joinscript.
this does not change anything about non closed sessions, what's especially for public workspaces an issue. As discussed -> reopen
I re-tested this in three different configurations: * umc/saml/assertion-lifetime (UCS) higher than saml.assertion.lifespan (Keycloak) Let the Keycloak assertion-lifetime expire while the UMC lifetime was still valid, then logged out in the portal. * umc/saml/assertion-lifetime (UCS) lower than saml.assertion.lifespan (Keycloak) Let the UMC assertion-lifetime expire while the Keycloak lifetime was still valid, then logged out in the portal. * umc/saml/assertion-lifetime (UCS) identical to saml.assertion.lifespan (Keycloak) Let both lifetimes expire at the same time, then logged out in the portal. In all cases, I was able to log out from the portal, landed on the start page, and had to manually click the login tile. However, in cases 1 and 3 (when the Keycloak assertion-lifetime had expired), I did not need to re-enter credentials. This is a real problem for public workspaces.
The following workaround/fix/hack has proven successful: https://help.univention.com/t/24530