Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

SSO Logout does not destroy SAML session

Description

Overview:

When SSO is configured in FOLIO and the user does logout, FOLIO should call the SSO SAML IdP logout endpoint.

Steps to Reproduce:

  1. Log into some FOLIO environment where SSO is configured, for example https://folio-demo.gbv.de/ using login rick and password psych and all default options ("remember login", "ask me again if information to be provided to this service changes")

  2. In FOLIO go to the top right user menu and click "Log out"

  3. After logout the login page of the FOLIO instance opens.

  4. Click "Login via SSO"

Expected Results:

The SAML login page of the identity provider (IdP) opens and the user is asked to enter the credentials again.

Actual Results:

The identity provider (IdP) keeps an SSO login session that hasn't expired and allows the user to log into FOLIO (and any other app that uses SSO) without re-entering the credentials.

Additional Information:

When SSO is configured, the metadata file has the SingleLogout url of the SSO SAML IdP that should be used to generate a link with returnTo element.

This issue is for adding a new log out menu entry that logs out from both FOLIO and the SSO SAML IdP.

The issue is for rewording the existing log out menu entry to warn that the SSO SAML IdP session is kept.

The issue MODLOGSAML-94 is for adding an SLO (Single Log Out) endpoint, the SSO SAML IdP can then call FOLIO at this logout SP endpoint.

The site used for the example above https://folio-demo.gbv.de/ is configured to use this identity provider (IdP) for SSO: https://samltest.id/

WARNING:

https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration : "SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it."

https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout
https://blog.bio-key.com/2016/06/20/saml-single-logout-need-to-know
https://medium.com/@BoweiHan/elijd-single-sign-on-saml-and-single-logout-624efd5a224

https://uit.stanford.edu/service/saml/logout : "some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to 'Continue where you left off' which preserves sessions across browser restarts."

Interested parties:

Universidad de Zaragoza

Environment

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Julian LadischMay 17, 2021 at 3:00 PM

The FOLIO security team reviewed this. Having a policy NOT to use single log out can be secure. Therefore this issue is a feature, not a bug.

Institutions that want to use single log out should rank and give points to .

 

Former userApril 23, 2021 at 9:47 AM

This issue is about security of the users using SSO and it shoud be solved as soon as possible. 

Khalilah GambrellApril 20, 2021 at 6:41 PM

I prefer we wait for this story to be implemented before we (stripes-force) implements this story https://folio-org.atlassian.net/browse/STCOR-532

Won't Do

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Core: Platform

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created March 23, 2021 at 2:47 PM
Updated July 7, 2022 at 3:50 PM
Resolved July 7, 2022 at 3:50 PM
TestRail: Cases
TestRail: Runs