[STCOR-580] Link to IdP's simple logout page - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: New Feature
Status: Blocked (View Workflow)
Priority: TBD
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Labels:
- security
- security-reviewed

Template:
Development Team:
None

Description

As a user that logs out of FOLIO I want the option to click a link that deletes the SAML SSO session.

Scenario 1:

Provided that the installation has enabled SAML SSO Login AND the SAML IdP has a simple logout URL

When I click "Logout from FOLIO, keep SSO login" menu entry

Then the screen has this text:

"If you want to delete the SAML SSO session, please go to [URL]. Note that this does NOT log you out from all other applications that use SAML SSO."

[URL] is a clickable link to the IdP's simple logout URL.

Scenario 2:

Provided that the installation has disabled SAML SSO Login OR the SAML IdP doesn't have a simple logout URL

When I click the FOLIO logout menu entry

Then the screen doesn't have the text required in Scenario 1.

Additional information:

~~STCOR-532~~ added the "Logout from FOLIO, keep SSO login" menu entry.

After clicking it I have two options:

Keep the login session at the SAML SSO IdP so that I can use it for other (non-FOLIO) applications.
Delete the login session at the SAML SSO IdP so that it cannot be used any longer, neither for FOLIO nor for other applications.

For the first option I don't need to to anything.

For the second option I need to open the SAML SSO IdP URL. Currently this requires to enter the URL or open a bookmark.

This story is for adding a link to the screen that is shown after I click the "Logout from FOLIO, keep SSO login" menu entry (or is always shown on that page, the login page).

Quote from https://uit.stanford.edu/service/saml/logout :

We recommend that your logout page have a link to the IdP's simple logout page with some text saying "If you want to delete the SAML SSO session, please click here". We do not recommend redirecting users to the simple logout page automatically as some users may want to logout of your site but still be able to access other SAML SSO pages without re-authenticating.

Finally, remember that having a logout feature on your site may lead users to believe (incorrectly) they have logged out of all of their SAML-authenticated applications.

Workaround:

Manually go to the IdP's simple logout URL: Enter the URL or call a browser bookmark.

TestRail: Results

Attachments

Issue Links

defines

UXPROD-3077 SAML Single Log Out (SLO)

Open

is blocked by

MODLOGSAML-168 Capture IdP's simple logout URL so Stripes can display it.

Open

relates to

MODLOGSAML-71 Login via SSO possible even after decryption of SAML assertions fails

Closed

MODLOGSAML-94 Provide SLO (Single Log Out) endpoint to be called by SSO IdP

Closed

STCOR-532 Logout from FOLIO, keep SSO login

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Nov/21 11:54 AM

Updated:: 15/Jun/23 3:30 PM

Link to IdP's simple logout page