Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper) (UXPROD-778)

[UXPROD-3077] SAML Single Log Out (SLO) Created: 17/May/21  Updated: 02/Nov/21

Status: Open
Project: UX Product
Components: None
Affects versions: None
Fix versions: None
Parent: Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)

Type: New Feature Priority: TBD
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
is defined by MODLOGSAML-92 SSO Logout does not destroy SAML session Closed
is defined by MODLOGSAML-94 Provide SLO (Single Log Out) endpoint... Closed
is defined by STCOR-580 Link to IdP's simple logout page Blocked
Potential Workaround: Educate users how to clear the browser's cookie and storage state. This includes STCOR-532.
Epic Link: Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)
Development Team: None
PO Rank: 0
Rank: Cornell (Full Sum 2021): R2

 Description   

a) When user logs out FOLIO should call the SSO SAML IdP logout endpoint: MODLOGSAML-92 Closed

b) FOLIO should provide a SSO SAML SP logout endpoint that the IdP can call: MODLOGSAML-94 Closed

WARNING:

https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration : "SLO is a best-effort attempt to end relying party sessions without clearing the browser's cookie and storage state. Most browsers do not clear this state when closed. It is deeply imperfect, minimally supported, and should not be viewed as a security feature or treated as reliable. Trivial and recommended browser settings can render it totally non-functional. It has no future. You should understand all of that before even considering it."

https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues
https://www.identityserver.com/articles/the-challenge-of-building-saml-single-logout
https://blog.bio-key.com/2016/06/20/saml-single-logout-need-to-know
https://medium.com/@BoweiHan/elijd-single-sign-on-saml-and-single-logout-624efd5a224

https://uit.stanford.edu/service/saml/logout : "some browsers can be configured to save sessions even if they are closed and then re-opened. For example, the Google Chrome browser can be set to 'Continue where you left off' which preserves sessions across browser restarts."

 

For these security reasons some institutions have a policy to NOT use SAML Single Log Out (SLO); they should rank this issue R5.



 Comments   
Comment by Julian Ladisch [ 10/Aug/21 ]

Debra Howell: Please clarify why you ranked this to rank 2 for "Cornell (Full Sum 2021)".
 
https://confluence.cornell.edu/display/SHIBBOLETH/Shibboleth+at+Cornell+Page says:
 

Does the Cornell Identity Provider provide a logout service?
No. Our IdP doesn't support logout because our credentials stick around until you close your browser. We usually recommend that you give the user instructions to quit the browser if they want to log out.

Comment by Debra Howell [ 11/Aug/21 ]

Julian Ladisch We ranked it R2 because while it wasn't critical for our go-live, we would like to have it soon after.  I see you have quoted part of the FAQ from our central IT organization. However, it does not apply to FOLIO since FOLIO does not allow the token to ever expire even if the browser is closed. This is a security vulnerability, and we would like the ability to set when FOLIO logs out. Philip Robinson, our Security Liaison and Library Systems representative, can answer additional questions/requirements.

Comment by Julian Ladisch [ 16/Aug/21 ]

Access token expiration is on the R3 roadmap of the core platform team and has already been groomed:

  • MODAT-64 Closed "Enforce access token expiration"
  • MODAT-65 Closed "Configurable access/refresh token expiration"
Generated at Fri Feb 09 00:29:10 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.