|
Understood.
For 2, what happens if the user proceeds with the login? I mean he asks for a logout, but at the end he will end up being logged in once more?
We made some modifications in the plink code we use and the result of GLO request on an expired session results in the error page.
In saml logout handler we just "return" instead of throwing an exception
Original code (around line 513 in SAML2LogOutHandler.java): {nofromat}
Principal userPrincipal = httpServletRequest.getUserPrincipal();
if (userPrincipal == null) { throw logger.samlHandlerPrincipalNotFoundError(); }{nofromat}
Modified code: {nofromat}
Principal userPrincipal = httpServletRequest.getUserPrincipal();
if (userPrincipal == null) { return; }{nofromat}
Note that this has been tested in plink 2.5.2
–
Another possible modification, is to use a dummy (fixed) username/principle (when session has expired or does not exist). This, will trigger the SAML global logout, and if the user is still logged in the IDP, he will be logged-out from all applications.
I guess this approach is not compliant with the specs and could be used by a third party web-app to logout a valid user (unless some checking is performed, eg referrer) BUT some people will argue that it is better to logout the user than leaving a session lingering without him knowing..
|
