Reworking SLO

Reworking Logout

A few times

This week there were a few small PRs that I landed for our opensource project Starchart / My.Custom.Domain worth mentioning:

• 343 Which took out the SLO portion of our app in favor of just ending the session with Starchart
• 356 Which is a small change because the groups claim can come back as either an array or a string which was not something we were aware of and this fixes that. This is pretty important now as we're rolling things out into staging and need to give everyone the opportunity to log in but the change is small.
• 385 A version bump for the app to match the release notes for 0.6

TD and I also reviewed and merged a first time commiters PR for a simple typo here: 378.

I also gave a presentation on Wednesday about how my SAML code works, what the IDP and SP are, how their metadata is configured, the important parts of the configuration (the certificate, signature, claims and the assertion consumer service bindings) and how to follow along with the key requests in the SAML flow that have to do with what we send and what we receive at our callback.

The rest of the week's efforts on Starchart were spent on adding Single Logout back into the program and I have done it a few ways now.

The first time I gave the user a page with two buttons that were choices to either logout of Starchart or logout of all Seneca services, the review on the initial PR was that the session should automatically be destroyed and then the choice should be given to SLO. I decided to put my logout page under index because I wanted the pretty header to render with my buttons, this caused some problems here because destroying the session meant we had no user information any longer which meant the header could not render display name and if the user would choose to SLO we had no idea which user to SLO.

My first solution to get around this was to use global variables to keep track of the user that logged out while they were making their decision. It was later brought to my attention that globals won't work because they can't keep track of multiple clients usernames so I changed it to use cookies instead.

I added a redirect to the function that destroys the session and added a cookie for it to return with the username, in this way we can redirect to the logout page again and the loader can check for that cookie and use it as the value to send to the SLO request when the button's pressed and the post sets off the action to create the SLO request.

I made the username in the header optional although I think following recent discussions I will just move the logout page so it will not have the header since that improves clarity.

The PR discussed above is here: 366

David and I also tried out staging a bit and each created an a record that works to redirect to an EC2 instance he stood up.