Details
-
New Feature
-
Status: Closed (View Workflow)
-
TBD
-
Resolution: Won't Do
-
None
-
None
-
CP: Roadmap backlog
-
5
-
Core: Platform
Description
Overview:
When SSO is configured in FOLIO and the user does logout, FOLIO should call the SSO SAML IdP logout endpoint.
Steps to Reproduce:
- Log into some FOLIO environment where SSO is configured, for example https://folio-demo.gbv.de/ using login rick and password psych and all default options ("remember login", "ask me again if information to be provided to this service changes")
- In FOLIO go to the top right user menu and click "Log out"
- After logout the login page of the FOLIO instance opens.
- Click "Login via SSO"
Expected Results:
The SAML login page of the identity provider (IdP) opens and the user is asked to enter the credentials again.
Actual Results:
The identity provider (IdP) keeps an SSO login session that hasn't expired and allows the user to log into FOLIO (and any other app that uses SSO) without re-entering the credentials.
Additional Information:
When SSO is configured, the metadata file has the SingleLogout url of the SSO SAML IdP that should be used to generate a link with returnTo element.
This issue is for adding a new log out menu entry that logs out from both FOLIO and the SSO SAML IdP.
The issue STCOR-532 is for rewording the existing log out menu entry to warn that the SSO SAML IdP session is kept.
The issue MODLOGSAML-94 is for adding an SLO (Single Log Out) endpoint, the SSO SAML IdP can then call FOLIO at this logout SP endpoint.
The site used for the example above https://folio-demo.gbv.de/ is configured to use this identity provider (IdP) for SSO: https://samltest.id/
WARNING:
https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration : "SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it."
https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout
https://blog.bio-key.com/2016/06/20/saml-single-logout-need-to-know
https://medium.com/@BoweiHan/elijd-single-sign-on-saml-and-single-logout-624efd5a224
https://uit.stanford.edu/service/saml/logout : "some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to 'Continue where you left off' which preserves sessions across browser restarts."
Interested parties:
Universidad de Zaragoza
TestRail: Results
Attachments
Issue Links
- defines
-
-
- Open
-
- is cloned by
-
-
- Closed
-
-
STCOR-532 Logout from FOLIO, keep SSO login
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-