Re: Logout of Federated Sessions

[Chris Green <cmgreen () UAB EDU>]

Yes.  ADFS is a federated activity implementing SAML like Shibboleth and generally you get a handoff.  Generally, the 
problem is the session check for IDP is done at start of application session;  Then the service provider operates with 
a "normal set of session credentials".   Logout to the central IDP is not what the logout button is designed to do in 
many applications.

This same kind of problem exists if you have services using Windows Integrated authentication.   You can logon to an 
application, then logout.   Then when you return the site, windows helpfully relogs you back in as part of the 
communication negotiation.

Issues where I've seen this come up:

- Stale Lab Sessions
- Kiosks - not properly restarting browser at end of session
- Developers

If you have a sensitive application, you can enforce a "recent" sign on in many protocols by forcing a session to 
reauth the user. The only approach I can think of that would make it somewhat easy is if you front-ended everything 
with a reverse proxy and then logout from the proxy.  That's not very federated ;-(


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
Gary - flynngn
Sent: Wednesday, May 11, 2011 1:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Logout of Federated Sessions

Does anyone know if commercial federation products like Microsoft and Oracle have the same logout issues that 
Shibboleth does?

https://wiki.brown.edu/confluence/display/CISDOC/Shibboleth+and+Application+Logout+Best+Practices
https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues
http://www.oit.uci.edu/idm/Access/Shibboleth/slo.php
https://fed-lab.org/best-practises/single-logout/
https://wiki.aai.niif.hu/index.php/ShibIdpSLO



--
Gary Flynn
Security Engineer
James Madison University