2

Our javaspring application (sp) allows SSO integration for the clients. We have planned to introduce SLO (Single Logout) as part of the security audit requirement.

I have a doubt, if our application request for SLO to idp then the particular customer's all other open app's get logged out ?

We don't want to make customer's other application get logged out due to our application.

Kindly advise. If the SAML SLO request will only impact the only the service provide which requests the logout or all the service provider which customer SSO logged in with?

Selvakumar
  • 360
  • 1
  • 3
  • 17

1 Answers1

1

Typically single-logout (SLO) will cascade from one SP to the IdP back to all related child sessions at the other SPs. Depending on what IdP you use, you may be able to control that / be more fine-grained but you have to be careful you're not opening yourself up to any attacks (on orphaned sessions).

As per SAML spec the IdP has to inform all other session participants.

JaredMcAteer
  • 21,688
  • 5
  • 49
  • 65
David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • Thank you. You meant to say child session means, if my app ex.facebook get opened in multiple tabs of a browser by the customer. You meant to tell this is child sessions? only my app get logged out from idp completely? and if my customer opens different app at the same like gmail using sso which will not get affected? kindly advise. – Selvakumar Sep 01 '20 at 20:53
  • 1
    No - if you have an app open in multiple tabs they are all sharing the same session – David Brossard Sep 01 '20 at 22:01
  • 1
    i have checked at Okta SSO Page which they are telling that they will not close other integration for the SLO request? https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm#:~:text=Single%20Logout%20(SLO)%20is%20a,a%20Service%20Provider%20(SP). – Selvakumar Sep 01 '20 at 22:05
  • Do we have any way to prevent all other sp's get logged out due to this single logout request from our app. – Selvakumar Sep 01 '20 at 22:08
  • 2
    No, this is not the case as per SAML spec the IdP has to inform all other session participants. – Bernhard Thalmayr Sep 02 '20 at 11:07