142: WHAT HAS CHANGED WITH MYMAIL LOGIN AND LOGOUT?
Logging in and out of MyMail changed somewhat in March 2015. This FAQ document gives some technical detail about what happened and why the new system is better.
In short, ITS has migrated the authentication protocol used for MyMail from Google’s proprietary web-page login/logout mechanism to an industry standard protocol known as “Shibboleth.”
Shibboleth is the preferred authentication solution in this case because with it your password is never sent to Google and is thus more private. After you have authenticated through the school’s Shibboleth Identity Provider (IDP), as you might when successfully logging into the MyMail website (http://mymail.mines.edu) today, the IDP server gives your browser a “token” (different from your password) that can be used by Google to confirm your identity. Google then asks the school servers whether you have been given access to MyMail. If you have, you will now be logged into MyMail via your Shibboleth token. All this happens without Google ever getting your password or information like your security questions.
The token created by the school’s system lasts for 16 hours. As long as you have that token — as long as the browser you used originally to sign in is still open — you can access any Shibboleth-connected service you are authorized to use without logging on again. For the end user this provides a convenient single sign-on for multiple services. For example, once you have logged into MyMail or OrgSync, you should be able to view the other service in the same browser without needing to re-enter your password. Over time, ITS will be adding Shibboleth capabilities to a number of other campus services available over the web.
But why can’t you now log out of MyMail? There doesn’t seem to be an easy way to end your login session. From one perspective, there is no logout function for MyMail because there is no longer a login function. You are logging into the school’s Shibboleth system and then each time you view a page at MyMail, OrgSync, or any other applicable website it is checked against your Shibboleth token.
As some have noticed, there is a potential downside to this system: Anyone with access to your token can interact with your MyMail, OrgSync or other Shibboleth-supported web resources as if they were you. But as long as you don’t share your computer account with anyone this should not be an issue as the token is stored in the personal area of your web-browser and is generally not available to others.
For public computer labs and the like, as long as you fully quit your browser and log out when you are done using the computer, you are safe. Quitting the web browser or logging out of the system entirely will end your session and destroy your token. Think of “quitting your browser completely” (or logging out of the computer completely) as the functional equivalent of “logging out” of MyMail or other Shibboleth services.
ITS is working on replacing the page that Google sends you to when you click “logout” to make all this more evident.
“Quitting” vs “Closing” Your Browser: Simply closing all browser windows in Windows or Linux will quit your browser session and destroy your token, but other operating systems work somewhat differently. Apple MacOS, Apple iOS, and Google Android users beware: These operating systems all tend to hold app settings in memory, even when you have apparently closed a program. This allows these apps to restart quickly, but it means that you need to take a couple of extra steps to ensure that your browser is fully quit (not just closed) and your Shibboleth token is actually destroyed.
- In MacOS on a Mac, to fully quit a browser you must click the program name in the browser menu then select the “Quit” option. So, in Firefox for Mac click Firefox > Quit Firefox. In Chrome, the comparable commands are Chrome > Quit Google Chrome. In Safari, it’s Safari > Quit Safari. Or the key combination Command-Q will fully quit any of these browsers.
- In iOS on an iPhone or iPad, fully quit Safari (or other browser) by double-tapping the physical Home button and then swiping up on the browser you were using. That will fully remove it from memory and destroy your Shibboleth token.
- In Android, different browsers can be quit in different ways. For Firefox on Android tap the menu key, scroll down, tap “Quit.” For the built-in browser and for Opera Mini, use the Home button to close the app, then press and hold the Home button, make sure the app you want is selected, and tap the trash can next to that browser to fully quit it and destroy your token.
- Kiosk Computers: Take special care when using convenient kiosk computers found in the library, ITS, and other campus locations. These computers require no initial login, making them good for quick web access — even for non Mines visitors. If you use them to access Shibboleth services like MyMail you must quit your browser completely to destroy any Shibboleth token you may have received. Failure to do so could give others access to all your Shibboleth accounts.