Logout on SAML without SLO


#1

Hi,

in my setup I have to use a Shibbloth server, which doesn’t provider SLO (single logout). If an user logs out from RC, the IDM token still exists and if the user forgets to close the browser, one can login again without any credentials. This is a security risk on public devices. Setting “Account/Forget User Session on Window Close” to “true” forces in my case Apps on mobile devices to login again quite often.

As well if the IDM provides SLO and “IDP SLO Redirect URL” is configured, a logout from RC results in a logout from all IDPs in federation.

A workaround might be to redirect the user to a warning page after local RC logout to close the browser (so the IDM token is deleted). But if the user just closes the browser, the local RC token still exists and one can login again without credentials too. I know this is a standard IDM dilemma, but a warning hint would be better than nothing.

Another idea could be not to create a different local RC token, but to use the IDM token for RC token as well. If the user logs out from RC, this token has to be kept for some time and marked as invalid. If the user doesn’t close the browser and relogin with the same old IDM token, the login could be blocked.

Any thoughts on this are very welcome :wink:

Ciao!
Marcus