Possible to disable the invoking of Login/Logout handlers via browser address bar?

Cantor, Scott cantor.2 at osu.edu
Fri Aug 24 11:12:09 EDT 2012

On Aug 24, 2012, at 7:00 AM, "Andrew Webb" <andrew.webb at statpro.com> wrote:

> Our website lazily initiates SSO session by redirecting to /Shibboleth.sso/Login?entityId=X&forceAuthn=true|false. Similarly it terminates session by redirecting to /Shibboleth.sso/Logout?return=Y. When logging in, we use one of a number of different runtime criteria for determining the entity id of the IdP to use (e.g. hostname alias used to access our website), and for determining the value of forceAuthn. So... it's not ideal that the user can enter whatever they want for session initiation by manually editing the URL in the address bar and hitting Enter.

There is no option to prevent that. SP requests are not statefully correlated to the response, so enforcing use of ForceAuthn is something you do afterwards via maxTimeSinceAuthn or application rules.

Also, if the hostname is being used to determine the entityID, that property could be set via content setting based on the request URL and so not visible on the redirect. That doesn't prevent it being overridden however.

> Similarly it's not ideal (but not a train smash) that the user can terminate session at any time (with their own return address) via the address bar.

The return location can be constrained, as Peter noted.

-- Scott

More information about the users mailing list