Details
-
New Feature
-
Status: Closed (View Workflow)
-
TBD
-
Resolution: Won't Do
-
None
-
None
-
-
CP: Roadmap backlog
-
Core: Platform
Description
Task:
Add a SSO SAML logout endpoint to FOLIO. Some SSO SAML IdPs can call such a logout endpoint of all SSO SAML SPs that currently use the user's SSO session.
Warning:
https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration : "SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it."
https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout
https://blog.bio-key.com/2016/06/20/saml-single-logout-need-to-know
https://medium.com/@BoweiHan/elijd-single-sign-on-saml-and-single-logout-624efd5a224
https://uit.stanford.edu/service/saml/logout : "some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to 'Continue where you left off' which preserves sessions across browser restarts."
For these security reasons some institutions have a policy to NOT use SAML Single Log Out (SLO).
Interested parties:
Universidad de Zaragoza
TestRail: Results
Attachments
Issue Links
- clones
-
-
- Closed
-
- defines
-
-
- Open
-
- relates to
-
-
- Closed
-
-
MODAT-56 validate user deactivation when checking access token
-
- Closed
-
-
-
- Closed
-
-
-
- Blocked
-