Educause Security Discussion mailing list archives
Re: Logout of Federated Sessions
From: Chris Green <cmgreen () UAB EDU>
Date: Wed, 11 May 2011 13:45:22 -0500
Yes. ADFS is a federated activity implementing SAML like Shibboleth and generally you get a handoff. Generally, the problem is the session check for IDP is done at start of application session; Then the service provider operates with a "normal set of session credentials". Logout to the central IDP is not what the logout button is designed to do in many applications. This same kind of problem exists if you have services using Windows Integrated authentication. You can logon to an application, then logout. Then when you return the site, windows helpfully relogs you back in as part of the communication negotiation. Issues where I've seen this come up: - Stale Lab Sessions - Kiosks - not properly restarting browser at end of session - Developers If you have a sensitive application, you can enforce a "recent" sign on in many protocols by forcing a session to reauth the user. The only approach I can think of that would make it somewhat easy is if you front-ended everything with a reverse proxy and then logout from the proxy. That's not very federated ;-( From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary - flynngn Sent: Wednesday, May 11, 2011 1:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Logout of Federated Sessions Does anyone know if commercial federation products like Microsoft and Oracle have the same logout issues that Shibboleth does? https://wiki.brown.edu/confluence/display/CISDOC/Shibboleth+and+Application+Logout+Best+Practices https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues http://www.oit.uci.edu/idm/Access/Shibboleth/slo.php https://fed-lab.org/best-practises/single-logout/ https://wiki.aai.niif.hu/index.php/ShibIdpSLO -- Gary Flynn Security Engineer James Madison University
Current thread:
- Logout of Federated Sessions Flynn, Gary - flynngn (May 11)
- Re: Logout of Federated Sessions Chris Green (May 11)