Uploaded image for project: 'mod-login-saml'
  1. mod-login-saml

SSO Logout does not destroy SAML session



    • CP: Roadmap backlog
    • 5
    • Core: Platform



      When SSO is configured in FOLIO and the user does logout, FOLIO should call the SSO SAML IdP logout endpoint.

      Steps to Reproduce:

      1. Log into some FOLIO environment where SSO is configured, for example https://folio-demo.gbv.de/ using login rick and password psych and all default options ("remember login", "ask me again if information to be provided to this service changes")
      2. In FOLIO go to the top right user menu and click "Log out"
      3. After logout the login page of the FOLIO instance opens.
      4. Click "Login via SSO"

      Expected Results:

      The SAML login page of the identity provider (IdP) opens and the user is asked to enter the credentials again.

      Actual Results:

      The identity provider (IdP) keeps an SSO login session that hasn't expired and allows the user to log into FOLIO (and any other app that uses SSO) without re-entering the credentials.

      Additional Information:

      When SSO is configured, the metadata file has the SingleLogout url of the SSO SAML IdP that should be used to generate a link with returnTo element.

      This issue is for adding a new log out menu entry that logs out from both FOLIO and the SSO SAML IdP.

      The issue STCOR-532 is for rewording the existing log out menu entry to warn that the SSO SAML IdP session is kept.

      The issue MODLOGSAML-94 is for adding an SLO (Single Log Out) endpoint, the SSO SAML IdP can then call FOLIO at this logout SP endpoint.

      The site used for the example above https://folio-demo.gbv.de/ is configured to use this identity provider (IdP) for SSO: https://samltest.id/


      https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration : "SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it."


      https://uit.stanford.edu/service/saml/logout : "some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to 'Continue where you left off' which preserves sessions across browser restarts."

      Interested parties:

      Universidad de Zaragoza

      TestRail: Results


          Issue Links



                cmcnally Craig McNally
                rfrancisco Rui Francisco
                0 Vote for this issue
                5 Start watching this issue



                  TestRail: Runs

                    TestRail: Cases