User is automatically logged-in back if he has a valid Kerberos ticket.
The reason is that after showing the login form, the whole UI is reloaded in order to forget everything in the app memory. It then behaves as normal access and SSO kicks in.
IPA had a logout page but it was removed ff17af1 . One reason was that PatternFly says that when a session expires, user should be presented with a login page. As we see, with SSO, the behavior is a little bit different and unexpected.
Proposal: After log out, user should be still presented with a login page, but the page should not issue ipa/session/login_kerberos call.
Related thread: https://www.redhat.com/archives/freeipa-users/2015-April/msg00607.html
Duplicate ticket: #5010
Replying to [ticket:5008 pvoborni]:
On the other hand, that login page needs to have a visible way to explicitly retry the Kerberos-based authentication if the user wishes to do so.
In fact, for example in Foreman, a logout page is shown with just one big "Log back in" button which will lead to Kerberos-based authentication and fallback to logon (form-based) page if Kerberos fails.
The login page has this help text:
To login with username and password, enter them in the corresponding fields, then click Login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and configured the browser correctly, then click Login.
I.e., user can just click login or press enter to log in back with Kerberos. IMHO it's enough.
master:
Metadata Update from @pvoborni: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.