SSO & LDAP - basic questions and thoughts

tinder · February 8, 2025, 7:24am

Hello everyone,

I have a conceptual question about SSO and LDAP. In itself, this is a really great system. I log in to YNH once and then immediately have my Nextcloud, my mails, etc. at the click of a button. And without having to re-enter my login details every time and without having to register with each app individually. Great! I’m really thrilled.

However, my enthusiasm soon waned when I realised that SSO & LDAP is not implemented by every app and that this is not a simple technology and can lead to real security problems. For example, when you log out of YNH, you are not automatically logged out of Nextcloud.

As long as I’m on my own computer, which ONLY I can access, none of this is an issue. I’m logged in there anyway and don’t want to log out. I want to have quick access to my apps.

The problem arises when users primarily work on shared computers without centralised user administration. As is the case in Internet cafés, for example, or at school or in a youth club or at work without a real IT department. I can vividly imagine situations in which you are still busy in various YNH apps and then suddenly your mate, colleague or boss calls you to leave quickly. In a hurry, you just log out of YNH, forget to close a hidden browser window and dash off. The next user then suddenly has free access to other people’s data.

How do you deal with this if this scenario is more likely to prevail among users? And if there are various APPs in my YNH system that do not support SSO and LDAP at all and therefore require their own registration and login anyway?

Do you then leave out SSO and LDAP and deliberately manage all the APPs individually, so that the user is really forced to log in via all of them individually if he needs this or that APP? Then the principle is clearer and the same everywhere: register for each APP and log in each time. That’s the way it is.

Then perhaps every user will be more aware that each app has to be closed individually and you have to log out. Of course, this doesn’t solve the fundamental problem of forgetting to close one or two browser windows in a hurry on such unprotected multi-user systems.

How do you deal with such situations? Do you have any thoughts or suggestions?

Best regards
Tinder

jarod5001 · February 8, 2025, 10:00am

Open an incognito window in your browser, use as many tabs you want in that window, close it when finished. And in general, I never trust a machine that I didn’t install myself. Keyloggers are easy to get.
Use your own machine when possible.

That’s not an excuse to leave a browser open, closing a window takes less than 4 seconds and even less

tinder · February 8, 2025, 10:55am

Hey @jarod5001 Thank you for your thoughts. Yes, these are the basic rules that apply to you and me and so many other people here without ifs and buts. And of course, closing a window only takes a few seconds.

But the whole thing is theory, which doesn’t always make the step into practice as soon as less security-conscious and tech-savvy users are sitting at the computer or the technical environment is open, for example in a school.

If you know that a window is still open, then you can close it. No question about it. But that presupposes that you know (or can see) that a minimised window is still open.

I’ve dealt with many users who wouldn’t realise exactly THAT. And as soon as the pressure/rush is added, they are quickly overwhelmed and no longer see the simplest things for you and me.

If I want to provide APPs for precisely these people in my environment, I also have to look at how these users act and adapt myself and the technology to them.

That’s where my thoughts on the subject come from.