Comments (2)
crewjam
commented on June 27, 2024
Okay, so I think the logout service conceptually in SAML is rather silly.
ref: http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/
At a high level, when a user wants to log out, the SP sends a logout request to the IDP. The IDP sends logout requests to all other SPs (except the one that made the request). The other SPs respond to the IDP, and the IDP responds to the users.
The spec says when an SP receives a logout request, it should invalidate the session. Now imagine the case where the implements it's local user session by issuing a signed token (i.e. JWT). There is effectively no way to invalidate a JWT once issued without introducing some kind of datastore you check against. the beauty of JWT is you don't have to read a database to auth a request.
Ugh!
So for now, the decision is to not implement logout
from saml.
james-async
commented on June 27, 2024
Any chance you could reconsider supporting logout? I'm not asking for full, but what about supporting sp-initiated logout. I see three possible paths and am advocating option 3 below:
- full support of logout
- support idp-initiated logout (as noted above this is silly)
- support crewjam driven logout to support the service provider that is using crewjam to initiate logout
I could possibly help with a patch but am uncertain of where to start -- where public API would be added.
from saml.
Related Issues (20)
- Response Destination Validation - Query Strings
- Trouble Getting Started as a Service Provider (from README) HOT 2
- Azure SAML2.0 not surport
- [question] idp example HOT 1
- Is this project still maintained? HOT 1
- Path property in CookieSessioProvider struct is missing
- ADFS HTTP-Artifact Signature
- Upgrade to use golang-jwt v5
- Why is the default SP signing algorithm SHA1
- bug: make logout request need add signature logic if `sp.SignatureMethod` is not empty. HOT 7
- Feature: IDP metadata URL should not be mandatory
- Should I fork a repo to receive the contribution [Or a community]
- Fail to authenticate on AzureAD when creating signed MakeAuthenticationRequest
- Externalize Login form
- How to log in by clicking on my app via Okta app?
- How to support multiple idp? HOT 1
- [Update Request] Update Project EOL component github.com/beevik/etree:v1.1.0
- can't figure out how to implement IDP initiated from IDP (for writing tests)
- How to create a SAML response with Response and Assertion signature
- How to handle IdP-initiated Single Logout (SLO) in the SP ? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from saml.