Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)
(UXPROD-778)
|
|
| Status: | Open |
| Project: | UX Product |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None | Parent: | Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper) |
| Type: | New Feature | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Potential Workaround: | Educate users how to clear the browser's cookie and storage state. This includes |
||||||||||||||||
| Epic Link: | Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper) | ||||||||||||||||
| Development Team: | None | ||||||||||||||||
| PO Rank: | 0 | ||||||||||||||||
| Rank: Cornell (Full Sum 2021): | R2 | ||||||||||||||||
| Description |
|
a) When user logs out FOLIO should call the SSO SAML IdP logout endpoint:
b) FOLIO should provide a SSO SAML SP logout endpoint that the IdP can call:
WARNING: https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration : "SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it." https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues https://uit.stanford.edu/service/saml/logout : "some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to 'Continue where you left off' which preserves sessions across browser restarts."
For these security reasons some institutions have a policy to NOT use SAML Single Log Out (SLO); they should rank this issue R5. |
| Comments |
| Comment by Julian Ladisch [ 10/Aug/21 ] |
|
Debra Howell: Please clarify why you ranked this to rank 2 for "Cornell (Full Sum 2021)".
|
| Comment by Debra Howell [ 11/Aug/21 ] |
|
Julian Ladisch We ranked it R2 because while it wasn't critical for our go-live, we would like to have it soon after. I see you have quoted part of the FAQ from our central IT organization. However, it does not apply to FOLIO since FOLIO does not allow the token to ever expire even if the browser is closed. This is a security vulnerability, and we would like the ability to set when FOLIO logs out. Philip Robinson, our Security Liaison and Library Systems representative, can answer additional questions/requirements. |
| Comment by Julian Ladisch [ 16/Aug/21 ] |
|
Access token expiration is on the R3 roadmap of the core platform team and has already been groomed: |