dacs_signout

DACS_SIGNOUT(8)             DACS Web Services Manual             DACS_SIGNOUT(8)



NAME
       dacs_signout - DACS signout service

SYNOPSIS
       dacs_signout [dacsoptions[1]]

DESCRIPTION
       This web service is part of the DACS suite.

       The dacs_signout web service is invoked from a web browser to cause one
       or more sets of DACS credentials for the current federation[2], stored as
       HTTP cookies, to be removed from the browser. This is done by replacing
       one or more existing cookies with cookies that have expired. The effect
       is that the user agent signs out (logs off) identities previously
       obtained through dacs_authenticate(8)[3] or any other DACS authentication
       method. A DACS-enabled portal will typically provide users with a link or
       web page form to invoke this service.

       By default, all credentials are removed, but credentials can be selected
       for deletion based on a particular username (who the user was
       authenticated as) or a particular jurisdiction (the jurisdiction that
       performed that authentication).

       Should copies of the selected credentials exist outside of the browser,
       they may still be valid; only the browser's copies are destroyed.

       The SIGNOUT_HANDLER[4] directive can optionally be used to specify where
       the user should be redirected before this service terminates, provided
       HTML output is being produced (i.e., the FORMAT does not select a variety
       of XML output or JSON output). If XML output is selected, a document
       conforming to dacs_current_credentials.dtd[5] is returned. If JSON output
       is selected, a document conforming to dacs_current_credentials.rnc[6] is
       returned.

       Explicitly signing off using this web service is generally unnecessary
       because DACS credentials will either become invalid when their lifetime
       is reached (see AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS[7]) or will be
       automatically deleted when the user's browser session terminates (or a
       session with a trusted servlet ends). A user can also sign off by
       deleting his browser's DACS cookies. Middleware can simply discard
       cookies.

       As DACS credentials are relative to a particular federation of DACS
       servers, only those credentials that are associated with the federation
       of the DACS server that receives the service request will be affected by
       this service. This implies that a user who wants to explicitly sign out
       must do so for each federation in which he or she is currently
       authenticated.

   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_signout understands
       the following CGI arguments:

       DACS_USERNAME
           If present, all credentials associated with this username will be
           deleted. If not provided, the username in the credentials is
           immaterial.

       DACS_JURISDICTION
           If present, all credentials associated with this jurisdiction (given
           as its JURISDICTION_NAME[9]) will be deleted. If not provided, the
           jurisdiction in the credentials is immaterial.

       DACS_SIGNOUT_HANDLER
           If permitted by the SIGNOUT_HANDLER[4] directive and HTML output has
           been selected, redirect the user's browser to the URL specified by
           this parameter, which may contain a properly escaped query string.
           Whether the GET method is used depends on the context of the original
           request (and keep in mind that GET parameters may be visible and
           logged). This URL is not validated by DACS. When not explicitly
           permitted by the SIGNOUT_HANDLER[4] directive, this parameter is
           ignored.

       COOKIE_SYNTAX
           This optional parameter is as described for the
           dacs_authenticate(8)[3] service.

       The optional parameters are used to delete only those credentials that
       match a particular username or jurisdiction (or both). If neither
       parameter is specified in the service request, all DACS cookies
       associated with the federation that receives the service request will be
       deleted.

       The name matching method can be configured through the NAME_COMPARE[10]
       directive.

           Note
           DACS does not currently provide an inactivity timeout feature, but it
           may appear in a future release. One way to add it would be to take
           advantage of the user tracking[11] capability, which can record all
           of a user's requests for DACS-wrapped services within a federation.
           By simply comparing the current time with the time stamp of the
           user's last service request, the user's idle time can be determined.
           If the idle time exceeds a configured maximum, dacs_acs(8)[12] would
           consider the user's credentials to be invalid (effectively expired)
           and take appropriate action. A straightforward implementation would
           be a relatively simple enhancement to DACS; its main drawback, for
           those that enable it, is the extra performance hit incurred from user
           tracking and having to compute idle time during access control
           processing - the significance of this cost will depend on your
           platforms, the configuration of your federation, and user activity
           patterns.

EXAMPLES
       To signout from all identities in the EXAMPLE federation, a user would
       simply invoke a URL like:

           https://dss.example.com/cgi-bin/dacs/dacs_signout

       To signout only from the identity EXAMPLE::FEDROOT:bobo, a URL like the
       following might be invoked:

           https://fedroot.example.com/cgi-bin/dacs/dacs_signout?\
           DACS_USERNAME=bobo&DACS_JURISDICTION=FEDROOT

       To signout from only those identities in the EXAMPLE federation having a
       username component bobo, invoke a URL like:

           https://fedroot.example.com/cgi-bin/dacs/dacs_signout?DACS_USERNAME=bobo

       This would signoff from EXAMPLE::FEDROOT:bobo and EXAMPLE::DSS:bobo, for
       instance.

DIAGNOSTICS
       The program exits 0 if everything was fine, 1 if an error occurred.

SEE ALSO
       dacs_authenticate(8)[3], dacs_current_credentials(8)[13],
       dacs_auth_agent(8)[14], dacs_auth_transfer(8)[15],
       dacs_select_credentials(8)[16], dacsauth(1)[17], dacscred(1)[18]

       The DACS distribution includes an example of a "log off" web page:
       html/examples/signout.html[19].

BUGS
       It might be useful for the non-HTML formats to provide configured or
       requested signout handler URLs.

AUTHOR
       Distributed Systems Software (www.dss.ca[20])

COPYING
       Copyright © 2003-2012 Distributed Systems Software. See the LICENSE[21]
       file that accompanies the distribution for licensing information.

NOTES
        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. current federation
           http://dacs.dss.ca/man/dacs.1.html#current_federation

        3. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

        4. SIGNOUT_HANDLER
           http://dacs.dss.ca/man/dacs.conf.5.html#SIGNOUT_HANDLER

        5. dacs_current_credentials.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_current_credentials.dtd

        6. dacs_current_credentials.rnc
           http://dacs.dss.ca/man/../dtd-xsd/dacs_current_credentials.rnc

        7. AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS
           http://dacs.dss.ca/man/dacs.conf.5.html#AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS

        8. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

        9. JURISDICTION_NAME
           http://dacs.dss.ca/man/dacs.conf.5.html#JURISDICTION_NAME

       10. NAME_COMPARE
           http://dacs.dss.ca/man/dacs.conf.5.html#NAME_COMPARE

       11. user tracking
           http://dacs.dss.ca/man/dacs.1.html#tracking_user_activity

       12. dacs_acs(8)
           http://dacs.dss.ca/man/dacs_acs.8.html

       13. dacs_current_credentials(8)
           http://dacs.dss.ca/man/dacs_current_credentials.8.html

       14. dacs_auth_agent(8)
           http://dacs.dss.ca/man/dacs_auth_agent.8.html

       15. dacs_auth_transfer(8)
           http://dacs.dss.ca/man/dacs_auth_transfer.8.html

       16. dacs_select_credentials(8)
           http://dacs.dss.ca/man/dacs_select_credentials.8.html

       17. dacsauth(1)
           http://dacs.dss.ca/man/dacsauth.1.html

       18. dacscred(1)
           http://dacs.dss.ca/man/dacscred.1.html

       19. html/examples/signout.html
           http://dacs.dss.ca/man//examples/signout.html

       20. www.dss.ca
           http://www.dss.ca

       21. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE



DACS 1.4.40                        02/19/2019                    DACS_SIGNOUT(8)